From: Bob Cregan (bob.cregan@maths.bath.ac.uk)
Date: Fri Jun 10 2005 - 08:20:30 EDT
Hi
I am having problems getting ldapclient (on a solaris 9 machine )
ti initialize the system using TLS. The client uses the default profile
on the ldap server which is running SUNE ONE ds 5.2 in a solaris 9
machine. The client was patched with the recommended cluster yesterday
and the server was patched with the cluster from about 7 weeks ago.
ldapclient list gives
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=Manager
NS_LDAP_BINDPASSWD= ************
NS_LDAP_SERVERS= *.*.*.*
NS_LDAP_SEARCH_BASEDN= dc=maths,dc=bath,dc=ac,dc=uk
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
Things to be considered
1) I believe have setup cet7.db and key3.db correctly. This has been
verified by using the nss certutils utility and using a netscape browser
(that uses the same cert7db nad key3.db files) to connect without
comment to https://ldap.server:636.
2) The other settings seem to be OK as when I change NS_LDAP_AUTH to
"simple" (in the profile) then the initialization suceeds.
3) A connection is started; I get the following in the server access
logs (the error logs report nothing)
[10/Jun/2005:12:44:09 +0100] conn=15750 op=-1 msgId=-1 - fd=343 slot=343
LDAPS c onnection from 138.38.**.** to 138.38.**.**
[10/Jun/2005:12:44:09 +0100] conn=15750 op=-1 msgId=-1 - closing - B1
[10/Jun/2005:12:44:09 +0100] conn=15750 op=-1 msgId=-1 - closed.
4) The client gives the following in the clien cachemgr log.
Fri Jun 10 12:05:42.2530 Starting ldap_cachemgr, logfile
/var/ldap/cachemgr.log
Fri Jun 10 12:05:42.4431 sig_ok_to_exit(): parent exiting...
Fri Jun 10 12:05:42.4767 Error: Unable to refresh
profile:default:Session error no available conn.
Fri Jun 10 12:05:42.4773 Error: Unable to update from profile
Fri Jun 10 12:06:10.8090 ldap_cachemgr received KILLSERVER cmd
from pid 1062, uid 0, euid 0
This implies a connection error but it suceeds in reading the profile
the first time otherwise "ldapclient list" would not give the values
found in the profile.
5) messages on the client gives (The server's messages give nothing)
Jun 10 13:17:34 vidar last message repeated 3 times
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 7 Mesg: Session error no available conn.
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 85 Mesg: openConnection: simple bind failed - Timed out
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 85 Mesg: openConnection: simple bind failed - Timed out
Jun 10 13:17:34 vidar last message repeated 3 times
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 7 Mesg: Session error no available conn.
Jun 10 13:17:34 vidar last message repeated 3 times
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 7 Mesg: Session error no available conn.
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 85 Mesg: openConnection: simple bind failed - Timed out
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 85 Mesg: openConnection: simple bind failed - Timed out
Jun 10 13:17:34 vidar last message repeated 3 times
Jun 10 13:17:34 vidar nscd[1909]: [ID 293258 user.error] libsldap:
Status: 7 Mesg: Session error no available conn.
6) Linux clients that use pam_ldap work fine over TLS, but I would
prefer not to have to port this to solaris.
I'm a bit flummoxed.
Bob Cregan
-- ------------------------------------------------------------ Bob Cregan Unix Systems Administrator Department of Mathematical Sciences, The University of Bath Claverton Down Bath BA2 7AY phone 01225 386068 mail bob.cregan@maths.bath.ac.uk ------------------------------------------------------------- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:52 EDT