# LDAPclient - TLS works after about 3 days login not correct

## boospy

Hi,

Client and server are Gentoo. For 2 weeks i took an Cert from startssl. I activated this on server and Client, and all works fine. But after about 3 or more days on clientside it has some problems. You must understand, all things work fine. The only place where i see a problem is the KDEterminal. When i open this programm i see not "myusername@hostname" is see

```
i have no username!@hostname~ $
```

This is the only application where I have observed it. Until now. When i disable TLS on the client it works fine. But as I said, this is true only if you are a logged in longer. Here are my clientconfig:

/etc/ldap.conf

```
suffix                  "dc=bla,dc=local"

bind_policy             soft

bind_timelimit          2

ldap_version            3

nss_base_group          ou=usergroups,ou=group,dc=bla,dc=local

nss_base_hosts          ou=machines,dc=bla,dc=local

nss_base_passwd         ou=users,ou=people,dc=bla,dc=local

nss_base_shadow         ou=users,ou=people,dc=bla,dc=local

pam_filter              objectclass=posixAccount

pam_filter              |(host=darkbox)(host=\*)

pam_check_host_attr     yes

pam_login_attribute     uid

pam_member_attribute    memberUid

pam_password            exop

scope                   one

timelimit               2

uri                     ldap://ldaphost.bla.local/

ssl                     start_tls

TLS_REQCERT            allow

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping
```

/etc/openldap/ldap.conf

```
BASE    dc=bla,dc=local

URI     ldap://ldaphost.local/

#SIZELIMIT      12

TLS_REQCERT     allow

TIMELIMIT       2

```

/etc/nsswitch.conf

```
passwd:      ldap compat

shadow:      ldap compat

group:       ldap compat

hosts:       files dns mdns6

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

/etc/pam.d/system-auth

```
auth            required        pam_env.so

auth            sufficient      pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

auth            required        pam_deny.so

 

account         sufficient      pam_ldap.so

account         required        pam_unix.so

 

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

password        required        pam_deny.so

 

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         required        pam_mkhomedir.so skel=/etc/skel umask=0077

session         optional        pam_ldap.so
```

/etc/pam.d/su

```
auth       sufficient   pam_rootok.so

auth       required     pam_wheel.so group=wheel use_uid

auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth

session    required     pam_env.so

session    optional             pam_xauth.so
```

And here is my serverconfig:

/etc/openldap/slapd.conf

```
# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/samba.schema

include         /etc/openldap/schema/collective.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/corba.schema                                                                                                

include         /etc/openldap/schema/duaconf.schema                                                                                              

include         /etc/openldap/schema/dyngroup.schema                                                                                             

include         /etc/openldap/schema/java.schema                                                                                                 

include         /etc/openldap/schema/pmi.schema                                                                                                  

include         /etc/openldap/schema/misc.schema                                                                                                 

include         /etc/openldap/schema/openldap.schema                                                                                             

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/ldapns.schema

include         /etc/openldap/schema/openssh-lpk.schema

include         /etc/openldap/schema/quota.schema

include         /etc/openldap/schema/dhcp.schema

TLSCACertificateFile    /etc/openldap/ssl/ldap1.ca

TLSCertificateFile      /etc/openldap/ssl/ldap1.crt

TLSCertificateKeyFile   /etc/openldap/ssl/ldap1.key

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

modulepath      /usr/lib64/openldap/openldap

moduleload    back_hdb.so

# moduleload    back_sock.so

# moduleload    back_shell.so

# moduleload    back_relay.so

# moduleload    back_passwd.so

# moduleload    back_null.so

# moduleload    back_monitor.so

# moduleload    back_meta.so

# moduleload    back_ldap.so

# moduleload    back_dnssrv.so

 access to dn.base="" by * read

 access to dn.base="cn=Subschema" by * read

 access to *

        by self write

        by users read

        by anonymous auth

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        hdb

suffix          "dc=bla,dc=local"

#         <kbyte> <min>

checkpoint      32      30 

rootdn          "cn=Manager,dc=bla,dc=local"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {SSHA}blablabla

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index   objectClass     eq
```

I hope someone can help me  :Smile: 

Greetings

boospy

----------

## boospy

Hi,

When i see in messages i have a lot of from these:

```
Mar 24 18:52:48 darkbox polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable

Mar 24 18:52:55 darkbox cupsd: nss_ldap: could not search LDAP server - Server is unavailable

Mar 24 18:53:55 darkbox cupsd: nss_ldap: could not search LDAP server - Server is unavailable

Mar 24 18:54:43 darkbox bash: nss_ldap: failed to bind to LDAP server ldap://ldaphost.bla.local/: Can't contact LDAP server
```

But the server is available. And it syncs correct. This Desktop is the only one from the network that has problems with TLS. LDAP Version is the same.  After relogin it is the same.

Whats going on ....

----------

