[389-users] SSL peer reports incorrect Message Authentication Code in versions >= 1.2.2

Rich Megginson rmeggins at redhat.com
Mon May 3 14:53:23 UTC 2010 

Juan Asensio Sánchez wrote:
> Hi everyone
>
> We are having trouble since we have updated from version 1.1.3 to 
> 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. 
> When we try to make "getent group", we only get one group and its 
> members, but no the rest of the groups (should be more than 1000 groups).
What platform?  32-bit or 64-bit?
How many groups?  Do you only get this error when you attempt a search 
to return this many groups?
> In the logs of dirsrv, we get the following error:
>
> [03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection 
> from XXXXX to XXXXX
> [03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES
> [03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application 
> Manager,cn=config" method=128 version=3
> [03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 
> nentries=0 etime=0 dn="cn=application manager,cn=config"
> [03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH 
> base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2 
> filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid 
> uniqueMember gidNumber"
> [03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH 
> base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> *[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer 
> reports incorrect Message Authentication Code.*
> [03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection 
> from XXXXX to XXXXX
> [03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES
> [03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application 
> Manager,cn=config" method=128 version=3
> [03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 
> nentries=0 etime=1 dn="cn=application manager,cn=config"
> [03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH 
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH 
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH 
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 
> nentries=1 etime=0
> [03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH 
> base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 
> filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> [03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 
> nentries=1 etime=0
>
> The following UIDs search after the group, are the members of the 
> first group returned by the group search. The command "getent passwd" 
> works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 
> or 1.2.5 (tested in 6 different servers). If we configure the LDAP 
> client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested 
> in 4 different servers), the command "getent group" works fine, and no 
> errors are shown in the log. The client configuration is always the 
> same, just changing the LDAP server.
>
> These are the configuration files:
>
> /etc/ldap.conf
>
> uri ldaps://XXXXXX
> base dc=XXXXXX,dc=XXXXXX
> ldap_version 3
>
> binddn cn=Application Manager,cn=config
> bindpw XXXXXX
>
> ssl on
> sasl_secprops maxssf=0
> tls_cacertdir /etc/openldap/cacerts
> tls_cacert    /etc/openldap/cacerts/cert-CA-cacert.pem
>
> timelimit 20
> bind_timelimit 20
> idle_timelimit 3600
>
> nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one
> nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub
> nss_base_passwd 
> dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))
> nss_base_shadow 
> dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))
>
> nss_initgroups_ignoreusers 
> avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data
> pam_password clear
>
>
> /etc/openldap/ldap.conf
>
> URI   ldaps://XXXXXX
> BASE  dc=XXXXXX,dc=XXXXXX
>
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_CACERT    /etc/openldap/cacerts/cert-CA-cacert.pem
> TLS_REQCERT   allow
>
>
> /etc/nsswitch.conf
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
>
> hosts:      files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   nisplus
>
> publickey:  nisplus
>
> automount:  files nisplus
> aliases:    files nisplus
>
> Regards.
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list