This post is basically intended to collect some information currently hard to find on Google. I wrote with the hope it might help someone else running into same or similar trouble as I did. It took several hours distributed over several days of investigation to finally fix a problem with my setup of Gentoo-based servers commonly authenticating against LDAP tree over PAM, Linux’ Pluggable Authentication Modules.
The scenario consists of multiple servers running Gentoo. As every server is providing a different service (one is for web site hosting, another one is hosting mail accounts) they come with different software setups, but all share a common user account database managed in an LDAP tree (which is of course hosted on another dedicated server). All servers run in different data centers located in cities spread all over the country and thus require some efforts in protecting inter-server communication using SSL/TLS. For the sake of completeness: sharing user account database is achieved using pam_ldap and nss_ldap.
All but one of the servers did a good job recently. That single server was bothering me for hours now. Though using same configuration files and same certs for server verification it didn’t succeed to talk to LDAP server over required SSL/TLS connection due to revoking untrusted server certificate. I had to disable verification of server certificates to get it work temporarily. Most matches on Google regard common installation of TLS support in LDAP client but keep troubleshooting at distance. Some pages instruct to test connection with openssl s_client mode, but that succeeded here as expected.
A single post on launchpad.net, Ubuntu’s bug tracker, revealed the somewhat covered cause: that server has been set up quite similar to all other ones, but in a moment of mental aberration I decided to enable integration with GNUTLS library in USE flags. Thus openldap client library has been linked to GNUTLS instead of OpenSSL, which is used on all other servers.
Bad for Ubuntu user (as they can’t switch dependencies that easily), but good for Gentoo users: dropping that USE flag and re-emerging all depending packages (including OpenLDAP) did the trick.
- USE flag gnutls is automatically fetching in GNUTLS library, so check for package depending on it:
# equery d gnutls
Most of them might be required conditionally and will fall back linking with OpenSSL after removal. If a package explicitly relies on GNUTLS you might manually fetch in the library using
# emerge -av gnutls
- Remove USE flag “gnutls” from make.conf, e.g. using tool ufed.
- Re-emerge world updating all packages affected by change of USE flags
# emerge -NuDav world
- Doublecheck for any broken links now:
# revdep-rebuild
If the highly essential tool revdep-rebuild isn’t available on your system you should install it as instantly as possible using
# emerge -av gentoolkit
Finally don’t miss to restart any service re-emerged before. This includes services with running binaries depending on OpenLDAP client library.
