From owner-freebsd-stable@FreeBSD.ORG Fri Sep 8 17:50:45 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC7D916A4E6 for ; Fri, 8 Sep 2006 17:50:45 +0000 (UTC) (envelope-from dkleinh@phy.ucsf.edu) Received: from phy.ucsf.edu (lehrer.ucsf.edu [128.218.64.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3A0443D7E for ; Fri, 8 Sep 2006 17:50:12 +0000 (GMT) (envelope-from dkleinh@phy.ucsf.edu) Received: from baez.ucsf.edu (baez.ucsf.edu [128.218.65.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by phy.ucsf.edu (Postfix) with ESMTP id 99DE91B79 for ; Fri, 8 Sep 2006 10:49:44 -0700 (PDT) Date: Fri, 8 Sep 2006 10:49:44 -0700 (PDT) From: Dirk Kleinhesselink X-X-Sender: dkleinh@baez.ucsf.edu To: stable@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-keck-MailScanner-Information: Please contact the ISP for more information X-keck-MailScanner: Found to be clean X-MailScanner-From: dkleinh@phy.ucsf.edu Cc: Subject: openldap/pam/nss issues on 6.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 17:50:45 -0000 I've tried to search for these answers, so I apologize if I've missed them in previous posts in various lists: I'm setting up FreeBSD 6.1/i386 (soon amd64, I hope) for LDAP login and I've had some minor issues with it: 1) I can get it to work as a server and client but with the default startup timeout and bind hard, the slapd startup hangs for quite awhile on service startup. I've seen the suggestion to set the bind to soft and lower the timeout value and this helps, but then sshd has problems querying the ldap service and so one can't login via ssh. 2) My FreeBSD client system can authenticate to it OK, but I'd like to restrict the unencrypted connect (port 389) to be only for localhost connection and clients must connect with ssl (port 636). I've started slapd on the server with flags "-h ldap://127.0.0.1/ ldaps:///" and local server logins work great but the client hangs on login and whenever commands like "id" or "whoami" are issued but the logins and command results ultimately work. I monitored the net connections with netstat and I see syn connections to the server's ldap (389) port as well as ldaps (636). I suspect that even though I set the client's /usr/local/etc/ldap.conf (and symlinked /etc/ldap.conf and nss_ldap.conf to it) file with ssl on and port 636, it still is trying 389 first. If I start the server with "-h ldap:/// ldaps:///" then the 389 connections succeed and everything is fast. A linux client did not try the 389 port and was fast login in and returning results with id or whoami. On the FreeBSD client, if I do: ldapsearch -H ldaps://hostname -b"dc=...." -LL -x "(uid=testuser)" this immediately gives me the result. It is something with the pam or nss that is insisting on doing the port 389 first. 3) My freebsd client sshd when configured for ldap does signal 11 crashes. My freebsd server has no problem with sshd and ldap. If I turn off ldap and use NIS on the client, it works great. Any help with these ? I can deal with the slow startup, that's relatively minor, but 2 and 3 are more problematic for me. Thanks, Dirk