For something on topic... I'm trying to configure a new server with users stored in LDAP. I configured OpenLDAP with certs for TLS and to listen on a Unix socket (LDAPI). I configured nss_ldap to use start_tls and to talk on the ldapi:/// URI.
Everything works fine, except "su" from one user to another (su to root works okay, but root is not in LDAP). It mostly doesn't work, but does occasionally. If I change /etc/ldap.conf from "ssl start_tls" to "ssl off", or to use ldap://hostname/, it works. With ldapi:/// and start_tls, su fails with no error message or log entry. The last log entry when it fails is the PAM "session opened" message (there is no corresponding "session closed" entry). I did an strace (as root with "-u user" to properly simulate su), and I see the process died with a SIGPIPE when writing to the LDAPI socket. I turned on slapd logging, and I see a socket closed with "connection lost" (I compared the LDAP log from a TLS config with a non-TLS confg, and that's the only difference other than the STARTTLS command itself). I was planning to use LDAPI for the local slapd because I thought it would have lower overhead. I planned to use TLS because I plan to have replicated slaves on other servers for redundancy, and I wanted to keep that connection secure (and I don't think you can configure nss_ldap to use TLS for some servers and not others). It looks like there's either a bug in nss_ldap or the OpenLDAP client libraries; I'm leaning towards nss_ldap not handling something correctly, but why does it only show up with "su"? -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
