Bug 596058 - SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
Status: CLOSED DUPLICATE of bug 676384
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
7.1
All Linux
high Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
Depends On:
Blocks: 434915
  Show dependency treegraph
 
Reported: 2010-05-26 04:55 EDT by Juan
Modified: 2015-01-04 18:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-04 07:59:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Juan 2010-05-26 04:55:26 EDT
Description of problem:

We are having trouble since we have updated from version 1.1.3 to 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. When we try to make "getent group", we only get one group and its members, but no the rest of the groups (should be more than 1000 groups). In the logs of dirsrv, we get the following error:

[03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection from XXXXX to XXXXX
[03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES
[03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3
[03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=application manager,cn=config"
[03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2 filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid uniqueMember gidNumber"
[03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer reports incorrect Message Authentication Code.
[03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection from XXXXX to XXXXX
[03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES
[03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3
[03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=application manager,cn=config"
[03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
[03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
[03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
[03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
[03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 nentries=1 etime=0

The following UIDs search after the group, are the members of the first group returned by the group search. The command "getent passwd" works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 or 1.2.5 (tested in 6 different servers). If we configure the LDAP client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested in 4 different servers), the command "getent group" works fine, and no errors are shown in the log. The client configuration is always the same, just changing the LDAP server.

These are the configuration files:

/etc/ldap.conf

uri ldaps://XXXXXX
base dc=XXXXXX,dc=XXXXXX
ldap_version 3

binddn cn=Application Manager,cn=config
bindpw XXXXXX

ssl on
sasl_secprops maxssf=0
tls_cacertdir /etc/openldap/cacerts
tls_cacert    /etc/openldap/cacerts/cert-CA-cacert.pem

timelimit 20
bind_timelimit 20
idle_timelimit 3600

nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one
nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub
nss_base_passwd dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))
nss_base_shadow dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data
pam_password clear


/etc/openldap/ldap.conf

URI   ldaps://XXXXXX
BASE  dc=XXXXXX,dc=XXXXXX

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT    /etc/openldap/cacerts/cert-CA-cacert.pem
TLS_REQCERT   allow


/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus


Server: CentOS release 5.4 (Final), Linux XXXXXXXXXXXXXXX 2.6.18-164.15.1.el5.centos.plusPAE #1 SMP Wed Mar 17 20:42:15 EDT 2010 i686 i686 i386 GNU/Linux
Client: CentOS release 5.4 (Final), Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux 

"getent group" should return the local groups (that are show fine) and about 729 LDAP groups. If I do the same search with the command ldapsearch, all groups and their attributes are returned. All 32 bits (client and server), versions:

Server: CentOS release 5.4 (Final), Linux XXXXXXXXXXXXXXX 2.6.18-164.15.1.el5.centos.plusPAE #1 SMP Wed Mar 17 20:42:15 EDT 2010 i686 i686 i386 GNU/Linux
Client: CentOS release 5.4 (Final), Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux

When running "getent group", the file /var/log/messages throws theses errors:

May  3 12:36:50 localhost getent: nss_ldap: reconnected to LDAP server ldaps://XXXXXXXXX after 1 attempt
May  3 12:37:10 localhost getent: nss_ldap: could not get LDAP result - Timed out

The "Timed out" message is because LDAP server has dropped the connection when it receives "SSL peer reports incorrect Message Authentication Code", and happens (I think) after reading the entry of the first group, so the rest of the groups are not shown.

I run these queries:

Total groups:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,XXXXXXX=es" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E "^dn:" | wc -l
729

Total members:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | wc -l
23348

Total unique members:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | sort | uniq | wc -l
9365
Comment 5 Rich Megginson 2010-08-04 17:36:14 EDT
Is it possible to reproduce this problem with ldapsearch, or do you have to use getent groups?
Comment 7 Moisés Barba Pérez 2011-02-22 02:49:50 EST
I have the same problem, and I would like to use getent groups.
Comment 8 Rich Megginson 2011-02-22 10:33:37 EST
(In reply to comment #7)
> I have the same problem, and I would like to use getent groups.

What platform?  What version of 389-ds-base?  What platform are the clients running on?  Can you reproduce the problem from the client using ldapsearch, or is it necessary to use getent?
Comment 9 Moisés Barba Pérez 2011-02-28 03:47:36 EST
Centos 5.5, 389-ds-base-1.2.5-1.el5, clients runs Centos 5.4. I can't reproduce the problem from client using ldapsearch and I need to use getent because of this problem when I use "id" on my scripts or "sudo -l".

I have about 1100 groups, about 44000 members and 16000 unique members.
Comment 10 Moisés Barba Pérez 2011-02-28 04:24:52 EST
Centos 5.5, 389-ds-base-1.2.5-1.el5, clients runs Centos 5.4. I can't reproduce the problem from client using ldapsearch and I need to use getent because of this problem when I use "id" on my scripts or "sudo -l".

I have about 1100 groups, about 44000 members and 16000 unique members.
Comment 11 Rich Megginson 2011-03-30 12:29:20 EDT
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=676384

*** This bug has been marked as a duplicate of bug 676384 ***

Note You need to log in before you can comment on or make changes to this bug.