FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-19-2012, 01:34 PM
Carsten Grzemba
 
Default Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs

Hi,

what kind of certificate do you use, selfsigned? Are the certificates signed by the same CA?



Am 18.07.12, schrieb David Nguyen <d_k_nguyen@yahoo.com>:Hi all,

I have a strange one.* My current setup is working perfectly.* client1
is able to connect to ldap-server1 via SSL and everything is working
correctly. I then had a need to add another ldap server (ldap-server2)
as a multi-master replica and everything is working (user auth, sudo
via ldap users, ldapsearch, openssl, etc) except cronjobs for users
served out of ldap fail to run.

I can see this in the error log on ldap-server2:

[18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
-12195 (Peer does not recognize and trust the CA that issued your
certificate.)

If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
ldaps://fqdn:636), the cronjobs fire just fine.

So it appears as though there is an SSL cert issue, but I'm stumped
because all of the other services that use ldap on client1 work except
cron jobs (root cron fires fine as expected since nsswitch is set to
files then ldap).

If I replace the URI string in /etc/ldap.conf to point at
ldap-server1, cron starts working.

Both ldap-server1 and ldap-server2 are using running the same OS and
kernel version (RHEL5) as well as the same version of 389 DS
(389-ds-1.2.1-1.el5).

Any ideas as to what could be causing this problem?** Here is the
/etc/ldap.conf on client1 if it matters:

====== begin /etc/ldap.conf =======
URI ldaps://ops-ldap006.svale.netledger.com:636
base dc=netsuite,dc=com

timelimit 10
bind_policy soft
nss_reconnect_tries 3
bind_timelimit 6
idle_timelimit 30
sudoers_base** ou=SUDOers,dc=netsuite,dc=com
sudoers_debug 0

##ssl start_tls
TLS_CACERT***** /etc/openldap/cacerts/ca.crt
TLS_CACERTFILE* /etc/openldap/cacerts/ca.crt
TLS_REQCERT**** demand
pam_lookup_policy yes
pam_password exop

nss_initgroups_ignoreusers root,named,avahi,haldaemon,dbus,gdm,postfix,puppet

====== end /etc/ldap.conf =======




Thanks in advance,
David
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users--Carsten Grzemba

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2012, 05:54 PM
David Nguyen
 
Default Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs

The cert is self-signed, but by different CA's (each server has it's own CA).

You know what? I took your hint and signed a new server cert using
the "working" ldap server's CA and voila, it started working. Thank
you so much! I've been scratching my head over this one for days


David

On Thu, Jul 19, 2012 at 6:34 AM, Carsten Grzemba <grzemba@contac-dt.de> wrote:
> Hi,
>
> what kind of certificate do you use, selfsigned? Are the certificates signed
> by the same CA?
>
>
>
> Am 18.07.12, schrieb David Nguyen <d_k_nguyen@yahoo.com>:
>
> Hi all,
>
> I have a strange one. My current setup is working perfectly. client1
> is able to connect to ldap-server1 via SSL and everything is working
> correctly. I then had a need to add another ldap server (ldap-server2)
> as a multi-master replica and everything is working (user auth, sudo
> via ldap users, ldapsearch, openssl, etc) except cronjobs for users
> served out of ldap fail to run.
>
> I can see this in the error log on ldap-server2:
>
> [18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
> -12195 (Peer does not recognize and trust the CA that issued your
> certificate.)
>
> If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
> ldaps://fqdn:636), the cronjobs fire just fine.
>
> So it appears as though there is an SSL cert issue, but I'm stumped
> because all of the other services that use ldap on client1 work except
> cron jobs (root cron fires fine as expected since nsswitch is set to
> files then ldap).
>
> If I replace the URI string in /etc/ldap.conf to point at
> ldap-server1, cron starts working.
>
> Both ldap-server1 and ldap-server2 are using running the same OS and
> kernel version (RHEL5) as well as the same version of 389 DS
> (389-ds-1.2.1-1.el5).
>
> Any ideas as to what could be causing this problem? Here is the
> /etc/ldap.conf on client1 if it matters:
>
> ====== begin /etc/ldap.conf =======
> URI ldaps://ops-ldap006.svale.netledger.com:636
> base dc=netsuite,dc=com
>
> timelimit 10
> bind_policy soft
> nss_reconnect_tries 3
> bind_timelimit 6
> idle_timelimit 30
> sudoers_base ou=SUDOers,dc=netsuite,dc=com
> sudoers_debug 0
>
> ##ssl start_tls
> TLS_CACERT /etc/openldap/cacerts/ca.crt
> TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
> TLS_REQCERT demand
> pam_lookup_policy yes
> pam_password exop
>
> nss_initgroups_ignoreusers
> root,named,avahi,haldaemon,dbus,gdm,postfix,puppet
>
> ====== end /etc/ldap.conf =======
>
>
>
>
> Thanks in advance,
> David
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> Carsten Grzemba
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-20-2012, 07:30 PM
David Nguyen
 
Default Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs

Just as a follow up to this, on ~5% of our hosts (RHEL[456]), crond
would be unable to connect to the ldapserver after /etc/ldap.conf was
updated to use SSL. Restarting crond fixed the issue.

On Thu, Jul 19, 2012 at 10:54 AM, David Nguyen <d_k_nguyen@yahoo.com> wrote:
> The cert is self-signed, but by different CA's (each server has it's own CA).
>
> You know what? I took your hint and signed a new server cert using
> the "working" ldap server's CA and voila, it started working. Thank
> you so much! I've been scratching my head over this one for days
>
>
> David
>
> On Thu, Jul 19, 2012 at 6:34 AM, Carsten Grzemba <grzemba@contac-dt.de> wrote:
>> Hi,
>>
>> what kind of certificate do you use, selfsigned? Are the certificates signed
>> by the same CA?
>>
>>
>>
>> Am 18.07.12, schrieb David Nguyen <d_k_nguyen@yahoo.com>:
>>
>> Hi all,
>>
>> I have a strange one. My current setup is working perfectly. client1
>> is able to connect to ldap-server1 via SSL and everything is working
>> correctly. I then had a need to add another ldap server (ldap-server2)
>> as a multi-master replica and everything is working (user auth, sudo
>> via ldap users, ldapsearch, openssl, etc) except cronjobs for users
>> served out of ldap fail to run.
>>
>> I can see this in the error log on ldap-server2:
>>
>> [18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
>> -12195 (Peer does not recognize and trust the CA that issued your
>> certificate.)
>>
>> If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
>> ldaps://fqdn:636), the cronjobs fire just fine.
>>
>> So it appears as though there is an SSL cert issue, but I'm stumped
>> because all of the other services that use ldap on client1 work except
>> cron jobs (root cron fires fine as expected since nsswitch is set to
>> files then ldap).
>>
>> If I replace the URI string in /etc/ldap.conf to point at
>> ldap-server1, cron starts working.
>>
>> Both ldap-server1 and ldap-server2 are using running the same OS and
>> kernel version (RHEL5) as well as the same version of 389 DS
>> (389-ds-1.2.1-1.el5).
>>
>> Any ideas as to what could be causing this problem? Here is the
>> /etc/ldap.conf on client1 if it matters:
>>
>> ====== begin /etc/ldap.conf =======
>> URI ldaps://ops-ldap006.svale.netledger.com:636
>> base dc=netsuite,dc=com
>>
>> timelimit 10
>> bind_policy soft
>> nss_reconnect_tries 3
>> bind_timelimit 6
>> idle_timelimit 30
>> sudoers_base ou=SUDOers,dc=netsuite,dc=com
>> sudoers_debug 0
>>
>> ##ssl start_tls
>> TLS_CACERT /etc/openldap/cacerts/ca.crt
>> TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
>> TLS_REQCERT demand
>> pam_lookup_policy yes
>> pam_password exop
>>
>> nss_initgroups_ignoreusers
>> root,named,avahi,haldaemon,dbus,gdm,postfix,puppet
>>
>> ====== end /etc/ldap.conf =======
>>
>>
>>
>>
>> Thanks in advance,
>> David
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> Carsten Grzemba
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 02:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org