Re: TLS w/LDAP - SOLVED
(OT) * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: A more general solution would be: # Am I running as user 0 (root)? uid=$(/usr/bin/id -u) 2/dev/null if [ $uid == 0 ] ; then BTW, shouldn't it be just one = (to be compliant with POSIX and /usr/bin/test)? oki, Steffen --[ End of message ]---8=== About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Tue, Jun 02, 2009 at 03:49:13PM +0200, Steffen DETTMER wrote: (OT) * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: A more general solution would be: # Am I running as user 0 (root)? uid=$(/usr/bin/id -u) 2/dev/null if [ $uid == 0 ] ; then BTW, shouldn't it be just one = (to be compliant with POSIX and /usr/bin/test)? Yes, and quotes are required, just in case id -u fails, and the uid value is empty: if [ $uid = 0 ] Michael must have had [[ ]] in mind, but forgot the outer []. [[ $uid == 0 ]] note, the == is actually a pattern match when the second operand is not quoted. $ [[ foo == f* ]] echo match || echo no match match $ [[ foo == f* ]] echo match || echo no match no match For numeric equality: [[ $uid -eq 0 ]] but, when comparing with 0, this returns true also when $uid is not a number. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: TLS w/LDAP
If you add set -x to the top of your script, you can see the script execute line by line to locate the source of the error. Dave -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John Kane Sent: Saturday, May 30, 2009 12:53 AM To: openssl-users@openssl.org Subject: RE: TLS w/LDAP Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -BEGIN CERTIFICATE- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, John Kane wrote: After painstakingly commenting everything out of all startup files, then added them back in, I found the cause of the -bash: [: =: unary operator expected error that has been occurring on all Linux servers since turning on LDAP TLS on INT. In the file: /etc/profile.d/krb5-workstation.sh The follow is causing the issue: if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi If I add around the backticked command, I the bash error goes away. Not sure who I need to open a ticket against :-) A more general solution would be: # Am I running as user 0 (root)? uid=$(/usr/bin/id -u) 2/dev/null if [ $uid == 0 ] ; then Note the use of white space and the change from an assignment to a test for equality. Usually, such problems get reported to the distribution producer - they know who wrote the script. Mike Thanks, John __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: TLS w/LDAP
Thanks for the help, all; The (handy) 'set -x' in the /etc/profile did show the culprit: + for i in '/etc/profile.d/*.sh' + '[' -r /etc/profile.d/krb5-workstation.sh ']' + . /etc/profile.d/krb5-workstation.sh ++ echo /usr/local/bin:/bin:/usr/bin ++ /bin/grep -q /usr/kerberos/bin ++ PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin ++ echo /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin ++ /bin/grep -q /usr/kerberos/sbin ++ '[' = 0 ']' -bash: [: =: unary operator expected Thanks, John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Dave Stoddard Sent: Saturday, May 30, 2009 10:12 AM To: openssl-users@openssl.org Subject: RE: TLS w/LDAP If you add set -x to the top of your script, you can see the script execute line by line to locate the source of the error. Dave -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of John Kane Sent: Saturday, May 30, 2009 12:53 AM To: openssl-users@openssl.org Subject: RE: TLS w/LDAP Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38
Re: TLS w/LDAP - SOLVED
They could also use $EUID == $UID == 0 to check the user ID, rather than relying on an external utility. ($EUID is the effective user ID, $UID is the real uid. Please see the bash man page for more info.) -Kyle H On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick open...@morethan.org wrote: On Sun May 31 2009, John Kane wrote: After painstakingly commenting everything out of all startup files, then added them back in, I found the cause of the -bash: [: =: unary operator expected error that has been occurring on all Linux servers since turning on LDAP TLS on INT. In the file: /etc/profile.d/krb5-workstation.sh The follow is causing the issue: if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi If I add around the backticked command, I the bash error goes away. Not sure who I need to open a ticket against :-) A more general solution would be: # Am I running as user 0 (root)? uid=$(/usr/bin/id -u) 2/dev/null if [ $uid == 0 ] ; then Note the use of white space and the change from an assignment to a test for equality. Usually, such problems get reported to the distribution producer - they know who wrote the script. Mike Thanks, John __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, Kyle Hamilton wrote: They could also use $EUID == $UID == 0 to check the user ID, rather than relying on an external utility. ($EUID is the effective user ID, $UID is the real uid. Please see the bash man page for more info.) I didn't want to re-design it. Just point out the difference between an assignment and an equality test. Mike -Kyle H On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick open...@morethan.org wrote: On Sun May 31 2009, John Kane wrote: After painstakingly commenting everything out of all startup files, then added them back in, I found the cause of the -bash: [: =: unary operator expected error that has been occurring on all Linux servers since turning on LDAP TLS on INT. In the file: /etc/profile.d/krb5-workstation.sh The follow is causing the issue: if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi If I add around the backticked command, I the bash error goes away. Not sure who I need to open a ticket against :-) A more general solution would be: # Am I running as user 0 (root)? uid=$(/usr/bin/id -u) 2/dev/null if [ $uid == 0 ] ; then Note the use of white space and the change from an assignment to a test for equality. Usually, such problems get reported to the distribution producer - they know who wrote the script. Mike Thanks, John __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP
On 05/30/2009 12:52 AM, John Kane wrote: Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert:snip John, I feel that having the TLS_CACERTFILE and TLS_CACERTDIR both defined is causing a problem. I suggest sticking with the TLS_CACERTFILE and comment out the the other. On the OpenLDAP side[(openldap file)] ... make it TLS_CACERT and reference the cacert.pem file instead of using the TLS_CACERTDIR directive. Hope this helps, ---Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP
Try looking in /etc/profile, ~/.profile, ~/.bashrc, or other startup files. You can always look at the man page for bash to figure out what files it automatically reads, and the '-' at the beginning means that it's a login shell. -Kyle H On May 29, 2009, at 9:52 PM, John Kane wrote: Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -BEGIN CERTIFICATE- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD
RE: TLS w/LDAP - SOLVED
After painstakingly commenting everything out of all startup files, then added them back in, I found the cause of the -bash: [: =: unary operator expected error that has been occurring on all Linux servers since turning on LDAP TLS on INT. In the file: /etc/profile.d/krb5-workstation.sh The follow is causing the issue: if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then if [ `/usr/bin/id -u` = 0 ] ; then PATH=/usr/kerberos/sbin:${PATH} fi fi If I add around the backticked command, I the bash error goes away. Not sure who I need to open a ticket against :-) Thanks, John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Saturday, May 30, 2009 5:04 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP Try looking in /etc/profile, ~/.profile, ~/.bashrc, or other startup files. You can always look at the man page for bash to figure out what files it automatically reads, and the '-' at the beginning means that it's a login shell. -Kyle H On May 29, 2009, at 9:52 PM, John Kane wrote: Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38
Re: TLS w/LDAP
That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -BEGIN CERTIFICATE- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD ExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcNAQkBFhtqb2huLmthbmVA cHJvZGVhc3lzdGVtcy5jb20wgZ8wDQYJKoZIhvcNAQE1BQADgY0AMIGJAoGBALO/ 8BhdflcKzhU8KCqBbebFMZh+xAkD0ijyMz6IEV994RgzNX31+p2JqJUWCACBCCms N7OxK/MgUhXXGUSSnEXnLlj+fgfUH1qtWZE3hBSoTd9UomJmOJvwz0gBaA06fJOD AkjgdqFc+QU7SR4Dmv3q7nn3h2aWsGl54eYavZ4NAgMBAAGjezB5MAkGA1UdEwQC MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBQL+30LDRejzXkCo6OSVxVv3jgHPfAfBgNVHSMEGDAWgBQL+30L DRejzXkCo6OSVxVv3jgHPDANBgkqhkiG9w0BAQUFAAOBgQAoUj2ckOGJANedOwam MijowI2dWgt5uxrJGo3GOqXsXUyfIEzGHkHffdD8RQkrS3z/OKrqM6BKvnyEfFjo mJ7JDktbEcYohLE/uzAD9jhAny0yvDqXuG/9qp9npicHU7JAQYa3AvJrB28bdIdo OxuJEwjLNvA8O17W3+ORGYZ61A== -END CERTIFICATE- This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily
RE: TLS w/LDAP
Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -BEGIN CERTIFICATE- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD ExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcNAQkBFhtqb2huLmthbmVA