From owner-freebsd-bugs@FreeBSD.ORG Mon Apr 19 12:14:55 2004 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EF9016A4CE for ; Mon, 19 Apr 2004 12:14:55 -0700 (PDT) Received: from smtp3.ing.unibs.it (smtp3.ing.unibs.it [192.167.23.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6BED43D6E for ; Mon, 19 Apr 2004 12:14:53 -0700 (PDT) (envelope-from francesco.gringoli@ing.unibs.it) Received: from smtp.ing.unibs.it (smtp.ing.unibs.it [192.167.20.162]) by smtp3.ing.unibs.it (8.12.8/8.12.8) with ESMTP id i3JJEmFt010550 for ; Mon, 19 Apr 2004 21:14:48 +0200 Received: from [192.168.20.8] (noragw.ing.unibs.it [192.167.20.210]) (authenticated bits=0)i3JJEjao031711 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Mon, 19 Apr 2004 21:14:48 +0200 Mime-Version: 1.0 (Apple Message framework v613) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-bugs@freebsd.org From: Francesco Gringoli Date: Mon, 19 Apr 2004 21:14:45 +0200 X-Mailer: Apple Mail (2.613) X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/) Subject: Conflicts between slapd and nsswitch (SSL not working) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2004 19:14:55 -0000 Hi all, I have noticed this conflict when running slapd as a user different than root and with nsswitch configured to search in ldap (other than files). This is my /etc/nsswitch.conf passwd: files ldap group: files ldap If you try to launch slapd as user root and you have configured it to bind on port 636 for SSL everything is ok. You can connect to SSL port and browse your db. But if you try to use a different user for slapd you can still browse via cleartext on 389 but no more via SSL on 636. This does not depend on the ldap db you are using for nsswitch. I tried to use a different slapd already running for the nsswtich part but the problem was still there. When you start slapd in debug mode as user different than root with nsswitch configured to access ldap you can clearly see that the slapd tries to bind to the ldap server specified in /etc/ldap.conf to lookup for the user specified even if this user is in /etc/passwd. This is not correct since you cannot start a service with a user that can be provided via nsswitch by that service!!