Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2 (http://www.linux-archive.org/fedora-directory/365471-ssl-peer-reports-incorrect-message-authentication-code-versions-1-2-2-a.html)

Juan Asensio Sánchez 05-03-2010 03:16 PM

SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
 
Hi

2010/5/3 Rich Megginson <rmeggins@redhat.com>



> We are having trouble since we have updated from version 1.1.3 to

> 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP.

> When we try to make "getent group", we only get one group and its

> members, but no the rest of the groups (should be more than 1000 groups).

What platform? *32-bit or 64-bit?

How many groups? *Do you only get this error when you attempt a search

to return this many groups?

"getent group" should return the local groups (that are show fine) and about 729 LDAP groups. If I do the same search with the command ldapsearch, all groups and their attributes are returned. All 32 bits (client and server), versions:




Server: CentOS release 5.4 (Final), Linux XXXXXXXXXXXXXXX 2.6.18-164.15.1.el5.centos.plusPAE #1 SMP Wed Mar 17 20:42:15 EDT 2010 i686 i686 i386 GNU/Linux
Client: CentOS release 5.4 (Final), Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux



When running "getent group", the file /var/log/messages throws theses errors:

May* 3 12:36:50 localhost getent: nss_ldap: reconnected to LDAP server ldaps://XXXXXXXXX after 1 attempt
May* 3 12:37:10 localhost getent: nss_ldap: could not get LDAP result - Timed out



The "Timed out" message is because LDAP server has dropped the connection when it receives "SSL peer reports incorrect Message Authentication Code", and happens (I think) after reading the entry of the first group, so the rest of the groups are not shown.






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Juan Asensio Sánchez 05-04-2010 11:46 AM

SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
 
2010/5/3 Rich Megginson <rmeggins@redhat.com>


Juan Asensio Sánchez wrote:

> Hi

>

> 2010/5/3 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>>

>

> * * > We are having trouble since we have updated from version 1.1.3 to

> * * > 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP.

> * * > When we try to make "getent group", we only get one group and its

> * * > members, but no the rest of the groups (should be more than 1000

> * * groups).

> * * What platform? *32-bit or 64-bit?

> * * How many groups? *Do you only get this error when you attempt a search

> * * to return this many groups?

>

>

> "getent group" should return the local groups (that are show fine) and

> about 729 LDAP groups.

How many groups total? *Roughly how many members? *I'm trying to get

some idea about how many entries and how many bytes should be returned.

> If I do the same search with the command ldapsearch,

ldapsearch to ldaps://hostname:636/ or ldap://hostname:389/ ?

I run these queries:

Total groups:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,XXXXXXX=es" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E "^dn:" | wc -l


729

Total members:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | wc -l


23348

Total unique members:
# ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | sort | uniq | wc -l


9365

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Juan Asensio Sánchez 05-26-2010 08:58 AM

SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
 
Hi

I have been more test with the same result. I can confirm, that with the same configuration in the client, if the server is upgraded, the error is thrown. I have opened a bug:

https://bugzilla.redhat.com/show_bug.cgi?id=596058



Regards.

2010/5/4 Rich Megginson <rmeggins@redhat.com>


Juan Asensio Sánchez wrote:

>

>

> 2010/5/3 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>>

>

> * * Juan Asensio Sánchez wrote:

> * * > Hi

> * * >

> * * > 2010/5/3 Rich Megginson <rmeggins@redhat.com

> * * <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com

> * * <mailto:rmeggins@redhat.com>>>

> * * >

> * * > * * > We are having trouble since we have updated from version

> * * 1.1.3 to

> * * > * * > 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients

> * * into LDAP.

> * * > * * > When we try to make "getent group", we only get one group

> * * and its

> * * > * * > members, but no the rest of the groups (should be more

> * * than 1000

> * * > * * groups).

> * * > * * What platform? *32-bit or 64-bit?

> * * > * * How many groups? *Do you only get this error when you

> * * attempt a search

> * * > * * to return this many groups?

> * * >

> * * >

> * * > "getent group" should return the local groups (that are show

> * * fine) and

> * * > about 729 LDAP groups.

> * * How many groups total? *Roughly how many members? *I'm trying to get

> * * some idea about how many entries and how many bytes should be

> * * returned.

> * * > If I do the same search with the command ldapsearch,

> * * ldapsearch to ldaps://hostname:636/ or ldap://hostname:389/ ?

>

>

> I run these queries:

>

> Total groups:

> # ldapsearch -H ldaps://XXXXXXX -x -LLL -b

> "ou=Groups,o=XXXXXXX,dc=XXXXXXX,XXXXXXX=es" -D "cn=Application

> Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn

> userPassword memberUid uniqueMember gidNumber | grep -E "^dn:" | wc -l

> 729

>

> Total members:

> # ldapsearch -H ldaps://XXXXXXX -x -LLL -b

> "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application

> Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn

> userPassword memberUid uniqueMember gidNumber | grep -E -i

> "^uniquemember:" | wc -l

> 23348

>

> Total unique members:

> # ldapsearch -H ldaps://XXXXXXX -x -LLL -b

> "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application

> Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn

> userPassword memberUid uniqueMember gidNumber | grep -E -i

> "^uniquemember:" | sort | uniq | wc -l

> 9365

So it appears that using ldapsearch with ldaps returns the correct

information, it's just that getent does not? *both ldapsearch and getent

go through the same ldap + openssl libraries, both bind as "application

manager", it's mostly the same code path, so I'm not sure why getent

would behave differently. *I'm assuming you don't see the same incorrect

Message Authentication Code error when you use ldapsearch.



Please file a bug - https://bugzilla.redhat.com/enter_bug.cgi?product=389

> ------------------------------------------------------------------------

>

> --

> 389 users mailing list

> 389-users@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 04:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.