[OmniOS-discuss] ldap auth
Paul B. Henson
henson at acm.org
Sat Sep 7 01:44:15 UTC 2013
On 9/6/2013 12:13 AM, Thierry Bingen wrote:
> Yes it is, and as I am pretty confident that it is safe (except for NSA intrusions), here is its name: ldap.haulogy.net
Hmm.
You can turn on debugging of nss by
# export SSLDEBUG=1
which, if you don't set NSS_HASH_ALG_SUPPORT, gives you:
# ldapsearch -Z -h ldap.haulogy.net -p 636 -b dc=haulogy,dc=net uid=test
SSL: debugging set to 1
2770: SSL3[134666056]: peer certificate is no good: error=-8016
ldap_search: Can't contact LDAP server
error=-8016 is SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, as expected.
However, when setting NSS_HASH_ALG_SUPPORT:
# NSS_HASH_ALG_SUPPORT=+MD5 ldapsearch -Z -h ldap.haulogy.net -p 636 -b
dc=haulogy,dc=net uid=test
SSL: debugging set to 1
ldap_search: Can't contact LDAP server
You don't get an SSL error, but it still fails to connect. So it seems
the environment variable is working, enabling the deprecated MD5 cert,
but there's something else it doesn't like.
At this point, we really need a debug build of ldapsearch so we could
run it with the -d option. Unfortunately, I don't have an illumos dev
box up at the moment. I've been meaning to rebuild one for ages, but
just haven't found the time. Perhaps someone with a current dev box
would be kind enough to provide a debug build of ldapsearch (compiled
with -DLDAP_DEBUG) so we can see exactly what it is unhappy about?
More information about the OmniOS-discuss
mailing list