After setting "ssl start_tls" in /etc/ldap.conf, one can no longer run "su" as root or ordinary user. Also console login will fail. Remote ssh login as ordinary user (in ldap directory) still works. But can't su to root or any other users. Another problem, automount can't get mount maps from LDAP. Reproducible: Always Steps to Reproduce: 1.Configure /etc/openldap/slapd.conf by setting "security tls=1" and start slapd daemon only listens on regular ldap port 389. 2. Run "getent passwd|group|shadow" would failed before setting "ssl start_tls". "su" works fine. 3.Now enable "ssl start_tls" and "tls_cacertfile". Install a CA certificate. 4. Run same commands as step 2. User/Group information will be pulled from LDAP server. But can't su anymore even as root user. Root user can no longer login from console. Expected Results: Before and after enabling "tls" in /etc/ldap.conf, su should work without any issue. For similar setup, CentOS 5.0 does not has such problem. pam_ldap version: sys-auth/pam_ldap-183 Gentoo environment: Portage 2.1.2.9 (default-linux/amd64/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.18-xenU x86_64) ================================================================= System uname: 2.6.18-xenU x86_64 Intel(R) Xeon(TM) CPU 3.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 20 Jul 2007 05:30:10 +0000 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.61 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=nocona -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog libg++ mbox midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTDIR_OVERLAY
Openldap, pam_ldap, nss_ldap are compiled as follow: [ebuild R ] net-nds/openldap-2.3.35-r1 USE="berkdb crypt debug ipv6 kerberos overlays perl readline samba sasl ssl tcpd -gdbm -minimal -odbc (-selinux) -slp -smbkrb5passwd" 0 kB [ebuild R ] sys-auth/pam_ldap-183 USE="ssl -sasl" 0 kB [ebuild R ] sys-auth/nss_ldap-253 USE="-debug -sasl" 0 kB /etc/ldap.conf: ================================================================ uri ldap://ldap1.example.com base dc=example,dc=com ldap_version 3 ssl on ssl start_tls tls_cacertfile /etc/openldap/cacerts/cacert.pem scope sub bind_policy soft pam_password exop nss_base_passwd ou=people,dc=example,dc=com nss_base_shadow ou=people,dc=example,dc=com nss_base_group ou=groups,dc=example,dc=com ==================================================================== When commenting out "ssl on" and "ssl start_tls", su works fine. Simon
Remove 'ssl on' from /etc/ldap.conf
No response from user, closing invalid as it is a user configuration error.