Problems using OpenLPAP for authentification of users: Client library issues STARTTLS but TLS is not configured
Hi,
well, i don´t know what i´m doing wrong. I just want to authenticate unix and windows users against OpenLDAP Database. I followed some howtos to setup openldap, winbind etc. and nearly everything seems just fine. But authenticating unix users finally doesn´t work. I´ve attached the syslog output. START TLS extension not supportet. This is true, as i haven´t configured OpenLPAP for TLS. But my LDAP client configuration doesn´t specify an LDAPS URL. So what´s going wrong?
Greeting, Jörg
# # This is the configuration file for the LDAP nameservice # switch library, the LDAP PAM module and the shadow package. #
# Your LDAP server. Must be resolvable without using LDAP. URI ldap://localhost
# The distinguished name of the search base. base dc=jetsys,dc=de
# The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3
# Don't try forever if the LDAP server is not reacheable bind_policy soft
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Manager,dc=jetsys,dc=de
# The credentials to bind with. # Optional: default is no credential. bindpw XXXXXXXXX
# The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=Manager,dc=jetsys,dc=de
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 ACCEPT from IP=127.0.0.1:15332 (IP=0.0.0.0:389) Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 RESULT tag=120 err=2 text=unsupported extended operation Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=1 UNBIND Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 closed Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 fd=23 ACCEPT from IP=127.0.0.1:15333 (IP=0.0.0.0:389) Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 RESULT tag=120 err=2 text=unsupported extended operation Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=1 UNBIND Jul 9 07:32:27 xdaolin slapd[2241]: conn=703 fd=23 closed Jul 9 07:32:27 xdaolin getent: nss_ldap: could not search LDAP server - Server is unavailable
Hi,
Jörg Spilker js@jetsys.de writes:
Hi,
well, i don´t know what i´m doing wrong. I just want to authenticate unix and windows users against OpenLDAP Database. I followed some howtos to setup openldap, winbind etc. and nearly everything seems just fine. But authenticating unix users finally doesn´t work. I´ve attached the syslog output. START TLS extension not supportet. This is true, as i haven´t configured OpenLPAP for TLS. But my LDAP client configuration doesn´t specify an LDAPS URL. So what´s going wrong?
Some Linux distributions have enabled 'ssl start_tls' as default, please check your /etc/ldap.conf carefully.
-Dieter
--On Thursday, July 10, 2008 1:11 PM +0200 Dieter Kluenter dieter@dkluenter.de wrote:
Hi,
Jörg Spilker js@jetsys.de writes:
Hi,
well, i don´t know what i´m doing wrong. I just want to authenticate unix and windows users against OpenLDAP Database. I followed some howtos to setup openldap, winbind etc. and nearly everything seems just fine. But authenticating unix users finally doesn´t work. I´ve attached the syslog output. START TLS extension not supportet. This is true, as i haven´t configured OpenLPAP for TLS. But my LDAP client configuration doesn´t specify an LDAPS URL. So what´s going wrong?
Some Linux distributions have enabled 'ssl start_tls' as default, please check your /etc/ldap.conf carefully.
Also, don't confuse startTLS and LDAPS. They are two entirely different things.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Dieter Kluenter schrieb:
Hello Dieter,
Some Linux distributions have enabled 'ssl start_tls' as default, please check your /etc/ldap.conf carefully.
thanks for your help. Tracing getent passwd, i could see that ldap.conf is first searched in /etc, then in /etc/openldap. And OpenSUSE 11.0 installs /etc/ldap.conf with the pwdutils package and /etc/openldap/ldap.conf with the openldap package. I did all my configuration work in /etc/openldap/ldap.conf. But /etc/ldap.conf contains the line ssl start_tls. I´ve now removed /etc/ldap.conf and the nss_ldap error is gone.
I will probably open a bugzilla case because it´s very annoying.
Greetings, Jörg
openldap-technical@openldap.org
-
Dieter Kluenter -
Jörg Spilker -
Quanah Gibson-Mount