Bug 59397 - ldap_starttls_s: Connect error
ldap_starttls_s: Connect error
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap (Show other bugs)
7.2
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-02-06 18:17 EST by Dax Kelson
Modified: 2007-04-18 12:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-02-06 18:19:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2002-02-06 18:17:27 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901

Description of problem:
nss_ldap works but pam_ldap gives "ldap_starttls_s error"

I have eight Red Hat 7.2 boxes that are clients to an OpenLDAP 2.0.22
server.

Eight of the clients work perfectly, two have problems.

All eight machines have the same /etc/ldap.conf:

host shaka.example.com
base dc=example,dc=com
ssl start_tls
pam_password exop

On the broken machine, logins don't work.

In syslog I see:

Feb  6 12:07:56 mooru sshd[3255]: pam_ldap: ldap_starttls_s: Connect error
Feb  6 12:08:00 mooru sshd[3255]: pam_ldap: ldap_result Can't contact LDAP server

On that same machine though, doing a "ls -al /home" works and I "see" the
proper user names and group names that were retrieved out of the OpenLDAP
sever.  I would say that the nss_ldap module is working fine.

On the same broken server, this command (which uses TLS via the -ZZ option) also
works:

ldapsearch "uid=*" -x -ZZ

The OpenLDAP server is configured with:

security ssf=128

TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
Comment 1 Dax Kelson 2002-02-06 18:19:30 EST
The OpenLDAP server's cert has the CORRECT FQDN.

Also, I grabbed the src.rpm for nss_ldap, and rebuilt it using the latest
release of both nss_ldap and pam_ldap (I couldn't get the DNS config patch to
apply properly).

No change.
Comment 2 Dax Kelson 2002-12-01 18:37:35 EST
When I run the OpenLDAP server on Linux instead of NetBSD on mips, all the
problems go away.

Note You need to log in before you can comment on or make changes to this bug.