Date: Tue, 12 Jan 2021 11:29:52 +0100 From: Andrea Venturoli <ml@netfence.it> To: freebsd-ports@freebsd.org Subject: Occasional saslauthd LDAP failure Message-ID: <1d4589bd-d617-f355-d6d9-35cb74034fce@netfence.it>
next in thread | raw e-mail | index | archive | help
Hello. I've got several services authenticating against a Samba AD DC via "saslauthd -a ldap" This works perfectly from the users' point of view. However I often find failures in the logs: > saslauthd[89676]: ldap_simple_bind() failed -1 (Can't contact LDAP server). > saslauthd[89676]: Retrying authentication This happens hundreds of times a day. Almost surely retrying succeeds, as no user ever complained. I tried getting some logs from Samba, but was not able to. I ran saslauthd in debug mode and, when the above happens, this is what I see: > TLS certificate verification: Error, unable to get local issuer certificate > TLS certificate verification: Error, unable to verify the first certificate Any hint? Why would either saslauthd or the openldap client library fail occasionally? Since I'm using a stateful firewall, I though perhaps connections time out, but disabling it did not help. My saslauthd.conf: > ldap_servers: ldap://x.x.x.x/ > ldap_bind_dn: cn=xxx,cn=Users,dc=xxx,dc=xxx,dc=xxx > ldap_password: XXXXXXXX > ldap_start_tls: yes > ldap_search_base: cn=Users,dc=xxx,dc=xxx,dc=xxx > ldap_tls_cert: /.../cert.pem > ldap_tls_key: /.../key.pem > ldap_filter: (sAMAccountName=%u) > ldap_scope: sub > ldap_debug: 100 > ldap_verbose: on > ldap_tls_check_peer: no > My ldap.conf: > TLS_CACERT /.../cert.pem > TLS_CERT /.../key.pem > TLS_REQCERT allow > ssl_check_cert off bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d4589bd-d617-f355-d6d9-35cb74034fce>