[389-users] SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2
Rich Megginson
rmeggins at redhat.com
Mon May 3 14:53:23 UTC 2010
Juan Asensio Sánchez wrote:
> Hi everyone
>
> We are having trouble since we have updated from version 1.1.3 to
> 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP.
> When we try to make "getent group", we only get one group and its
> members, but no the rest of the groups (should be more than 1000 groups).
What platform? 32-bit or 64-bit?
How many groups? Do you only get this error when you attempt a search
to return this many groups?
> In the logs of dirsrv, we get the following error:
>
> [03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection
> from XXXXX to XXXXX
> [03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES
> [03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application
> Manager,cn=config" method=128 version=3
> [03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=application manager,cn=config"
> [03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH
> base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2
> filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid
> uniqueMember gidNumber"
> [03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH
> base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> *[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer
> reports incorrect Message Authentication Code.*
> [03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection
> from XXXXX to XXXXX
> [03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES
> [03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application
> Manager,cn=config" method=128 version=3
> [03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97
> nentries=0 etime=1 dn="cn=application manager,cn=config"
> [03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101
> nentries=1 etime=0
>
> The following UIDs search after the group, are the members of the
> first group returned by the group search. The command "getent passwd"
> works fine. This only happens in servers upgraded to 389-ds-base 1.2.2
> or 1.2.5 (tested in 6 different servers). If we configure the LDAP
> client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested
> in 4 different servers), the command "getent group" works fine, and no
> errors are shown in the log. The client configuration is always the
> same, just changing the LDAP server.
>
> These are the configuration files:
>
> /etc/ldap.conf
>
> uri ldaps://XXXXXX
> base dc=XXXXXX,dc=XXXXXX
> ldap_version 3
>
> binddn cn=Application Manager,cn=config
> bindpw XXXXXX
>
> ssl on
> sasl_secprops maxssf=0
> tls_cacertdir /etc/openldap/cacerts
> tls_cacert /etc/openldap/cacerts/cert-CA-cacert.pem
>
> timelimit 20
> bind_timelimit 20
> idle_timelimit 3600
>
> nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one
> nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub
> nss_base_passwd
> dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))
> nss_base_shadow
> dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))
>
> nss_initgroups_ignoreusers
> avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data
> pam_password clear
>
>
> /etc/openldap/ldap.conf
>
> URI ldaps://XXXXXX
> BASE dc=XXXXXX,dc=XXXXXX
>
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_CACERT /etc/openldap/cacerts/cert-CA-cacert.pem
> TLS_REQCERT allow
>
>
> /etc/nsswitch.conf
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> hosts: files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: nisplus
>
> publickey: nisplus
>
> automount: files nisplus
> aliases: files nisplus
>
> Regards.
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list