Hi All,

We have a couple of issues with the one of the eDirectory Server in the
replica.
When we point a Redhat system to this eDirectory Server, it can no
longer authenticate.
The eDir server appears to be running and is responding to ldapsearch
commands.

weve narrowed it down to the openldap configuration on the client,we
use SSSD for authentication and that is working fine, however there are
some other utilities such as the passwd-expiry script which use the
openldap client and that prevents successful login. Sudo sh is also
broken.

Without SSL the openldap client is fine. Note when using SSL to any
other eDir servers in the same replica tree, it works fine.

Without SSL:
[root@fgprd-123123-99999-db001 openldap]# /usr/bin/ldapsearch -x -LLLL
cn=svaughan passwordExpirationTime | awk 'NR==2' | awk '{print
substr($2,1,4)"-"substr($2,5,2)"-"substr($2,7,2)"
"substr($2,9,2)":"substr($2,11,2)":"substr($2,13,2 )}'| less
2014-05-25 05:07:15

With SSL it just hangs with no response:
[root@fgprd-123123-99999-db001 openldap]# /usr/bin/ldapsearch -x -LLLL
cn=svaughan passwordExpirationTime | awk 'NR==2' | awk '{print
substr($2,1,4)"-"substr($2,5,2)"-"substr($2,7,2)"
"substr($2,9,2)":"substr($2,11,2)":"substr($2,13,2 )}'| less

/etc/openldap/ldap.conf:

[root@ openldap]# cat ldap.conf
# Generated by Chef for fgprd-db001.mhint
# Local changes will be overwritten

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE o=MH
URI ldaps:// va2-app01.mhint ldaps://master-app02.mhint
TLS_CACERT /etc/openldap/Server1prdtree-rootcacert.asc

/etc/ldap.conf:

[root@ openldap]# cat /etc/ldap.conf
# Generated by Chef for fgprd-db001.mhint
# Local changes will be overwritten
URI ldaps://va2-app01.mhint ldaps://master-app02.mhint
BASE o=MH
SCOPE sub
ldap_version 3
binddn cn=ldapclientuser,ou=svcusers,o=services
bindpw
pam_password nds
pam_lookup_policy yes
SSL yes
TLS_CACERTFILE /etc/openldap/Server1prdtree-rootcacert.asc
TLS_REQCERT demand
SUDOERS_BASE ou=SUDOers,o=MH
SUDOERS_TIMED yes
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute uid cn
pam_filter objectclass=posixAccount
nss_base_passwd ou=Users,o=MH?one
nss_base_group ou=Groups,o=MH?sub?gidNumber=*

# Ensures the system is still accessible during an ldap server outage
timelimit 50 # Search timelimit in sec
timeout 5
network_timeout 5
bind_timelimit 15 # Bind timelimit - abort after 15 seconds if fail
to bind

# libnss stuff
nss_connect_policy oneshot # Determinate to close the connection after
LDAP query
nss_reconnect_tries 1 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 1 # max sleep value to cap at
nss_reconnect_maxconntries 3 # how many tries before sleeping

Not sure how to proceed on this , please help

Thanks
KBasa


--
kbasa
------------------------------------------------------------------------
kbasa's Profile: https://forums.netiq.com/member.php?userid=6450
View this thread: https://forums.netiq.com/showthread.php?t=50375