Package: nslcd Version: 0.9.7-2 Severity: important Dear Maintainer,
debian 7 install works fine with certificate auth. Debian 9 install with same config files appears to not work and throws these erros: Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication method: SASL(-4): no mechanism available: Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available LDAP server found: Unknown authentication method: Bad file descriptor Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available LDAP server found: Server is unavailable: Bad file descriptor Apr 25 16:41:18 nori nslcd[1376]: [ed7263] <passwd="*"> request denied by validnames option contents of /etc/nslcd.conf: uid nslcd gid nslcd uri ldap://ldi.s.uw.edu ssl start_tls tls_cacertfile /etc/ssl/ldi/InCommonCA.crt tls_cert /etc/ssl/ldi/ldi-client.crt tls_key /etc/ssl/ldi/ldi-client.key sasl_mech EXTERNAL pagesize 250 nss_min_uid 1000 nss_initgroups_ignoreusers ALLLOCAL certificate key Im using: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 12603 (0x313b) > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = US, ST = WA, O = University of Washington, OU = UW > Services, CN = UW Services CA, emailAddress = h...@cac.washington.edu > Validity > Not Before: Apr 5 00:15:01 2017 GMT > Not After : Apr 6 00:15:01 2020 GMT > Subject: C = US, ST = Washington, O = University of Washington, OU = > Center for Studies in Demography and Ecology, CN = > ldap-client.csde.washington.edu > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:c9:8a:c2:3c:fc:f5:2d:51:9b:45:57:19:35:a6: > 77:a4:6c:b5:98:bf:6b:38:8a:b2:6c:19:24:86:d7: > 41:20:38:ce:1a:01:a7:53:ae:6d:4d:89:1b:0e:49: > 1b:d4:7d:c8:74:55:d8:2d:81:b9:aa:78:6f:5d:2f: > 7b:6d:48:35:7c:c8:37:d7:c0:ec:8b:df:eb:b5:12: > d1:d9:72:16:c9:b4:f0:41:7c:e1:a3:d2:cf:ee:c9: > 44:44:c3:61:08:d6:36:74:18:ad:e8:a2:9c:f4:79: > dd:f9:b7:84:49:18:ce:4f:00:de:e8:ff:b3:10:6f: > dc:41:22:ff:2d:b7:34:5e:a1:5e:c2:a9:c4:4c:4a: > 6d:d8:be:6d:0c:2d:26:bf:f6:8b:4c:fa:eb:6a:a2: > 41:2b:65:a2:8b:8c:7d:4a:4e:fb:6a:55:81:bb:33: > 99:9f:59:fd:78:da:d8:74:45:61:a9:87:59:f6:09: > e9:6b:83:8c:d9:30:0e:7b:20:c6:96:c1:49:d2:76: > a1:3f:bb:cf:6c:f8:34:a1:fb:d5:0c:26:06:65:57: > 57:bb:50:cb:a0:9c:c5:74:c1:81:cd:1b:72:83:2c: > 3d:9d:4a:87:72:b6:f1:29:93:63:81:24:f2:6e:1a: > 2f:8d:6a:e8:a2:48:92:d1:c1:d7:40:b8:6e:f2:4b: > 30:b6:a0:8d:c6:a5:c6:51:ba:67:6a:7b:e4:47:e5: > 95:25:d3:5d:bb:04:50:97:2e:a8:fc:6c:92:03:20: > 04:22:11:b8:af:c7:5b:ac:eb:5a:89:d2:77:b8:18: > 5f:ff:ad:74:d2:7f:e2:5c:8c:98:2e:9d:e1:a1:3a: > 93:4f:6d:9d:d0:e2:ee:57:21:1a:0b:08:7d:e9:6d: > af:3f:3c:d7:75:f7:83:2a:7a:44:5b:83:96:b6:61: > d6:ad:ab:58:e7:03:12:c2:bc:1a:a2:73:9a:34:a8: > f5:84:9b:3d:6b:7a:a8:a2:cd:a1:c3:ea:9c:2f:1d: > 45:7c:47:aa:12:67:d8:f0:18:89:1e:48:83:0c:ad: > b5:19:45:e2:31:cb:ff:17:e3:24:85:e9:51:d2:2d: > 5a:bc:99:73:68:85:05:10:06:eb:06:dd:62:cc:ff: > ee:10:a5:49:f8:4e:19:d1:3b:f3:91:9d:cb:ed:3f: > 40:ad:8d:90:bf:2a:54:58:00:a6:04:7d:a3:9a:ac: > f6:fd:d3:8b:a0:dc:2e:56:7f:91:51:07:a1:a0:22: > 91:ec:04:48:95:c3:de:77:ea:50:61:6b:b0:6b:48: > 56:02:c4:7d:23:a7:4f:d7:e1:6a:0f:2d:0e:33:f4: > e8:be:d6:dc:0c:22:76:db:ec:47:08:a0:0a:42:1e: > 79:25:53 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Extended Key Usage: > TLS Web Client Authentication, TLS Web Server Authentication > X509v3 Subject Key Identifier: > 68:2F:05:ED:33:1A:C2:60:57:0D:FF:87:E6:C6:3B:C1:60:3E:AD:96 > X509v3 Subject Alternative Name: > DNS:ldap-client.csde.washington.edu > X509v3 Authority Key Identifier: > > keyid:55:D7:C1:33:C6:FA:93:F8:27:3D:CB:20:4B:F5:5A:8E:58:97:7D:74 > DirName:/C=US/ST=WA/O=University of Washington/OU=UW > Services/CN=UW Services CA/emailAddress=h...@cac.washington.edu > serial:00 > > X509v3 CRL Distribution Points: > > Full Name: > URI:http://certs.cac.washington.edu/UWServicesCA.crl > > Signature Algorithm: sha256WithRSAEncryption > a0:0b:58:27:ec:d5:b1:d3:76:e7:cc:b7:26:2c:5b:23:08:4f: > 71:2a:de:16:9d:ec:7a:b2:f6:25:65:1c:c4:ea:e5:b6:d0:43: > e0:1f:f3:22:79:d8:29:6b:f4:5c:a4:e9:48:b6:c8:93:a0:cd: > e3:fe:3b:5a:93:ec:03:db:13:55:9a:5e:69:2f:8d:4c:82:f0: > b1:41:33:2e:9d:81:9f:3f:52:f2:06:ee:2d:a0:93:80:d8:1d: > 24:05:8a:b1:93:91:8e:16:32:c7:ca:f6:02:9b:5c:76:cd:dc: > c9:51:81:74:c5:4d:fc:d1:d6:c4:08:ad:08:78:60:62:83:8a: > 93:17 > -----BEGIN CERTIFICATE----- > MIIFvDCCBSWgAwIBAgICMTswDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT > MQswCQYDVQQIEwJXQTEhMB8GA1UEChMYVW5pdmVyc2l0eSBvZiBXYXNoaW5ndG9u > MRQwEgYDVQQLEwtVVyBTZXJ2aWNlczEXMBUGA1UEAxMOVVcgU2VydmljZXMgQ0Ex > JjAkBgkqhkiG9w0BCQEWF2hlbHBAY2FjLndhc2hpbmd0b24uZWR1MB4XDTE3MDQw > NTAwMTUwMVoXDTIwMDQwNjAwMTUwMVowgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI > DApXYXNoaW5ndG9uMSEwHwYDVQQKDBhVbml2ZXJzaXR5IG9mIFdhc2hpbmd0b24x > NTAzBgNVBAsMLENlbnRlciBmb3IgU3R1ZGllcyBpbiBEZW1vZ3JhcGh5IGFuZCBF > Y29sb2d5MSgwJgYDVQQDDB9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0b24uZWR1 > MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyYrCPPz1LVGbRVcZNaZ3 > pGy1mL9rOIqybBkkhtdBIDjOGgGnU65tTYkbDkkb1H3IdFXYLYG5qnhvXS97bUg1 > fMg318Dsi9/rtRLR2XIWybTwQXzho9LP7slERMNhCNY2dBit6KKc9Hnd+beESRjO > TwDe6P+zEG/cQSL/Lbc0XqFewqnETEpt2L5tDC0mv/aLTPrraqJBK2Wii4x9Sk77 > alWBuzOZn1n9eNrYdEVhqYdZ9gnpa4OM2TAOeyDGlsFJ0nahP7vPbPg0ofvVDCYG > ZVdXu1DLoJzFdMGBzRtygyw9nUqHcrbxKZNjgSTybhovjWrookiS0cHXQLhu8ksw > tqCNxqXGUbpnanvkR+WVJdNduwRQly6o/GySAyAEIhG4r8dbrOtaidJ3uBhf/610 > 0n/iXIyYLp3hoTqTT22d0OLuVyEaCwh96W2vPzzXdfeDKnpEW4OWtmHWratY5wMS > wrwaonOaNKj1hJs9a3qoos2hw+qcLx1FfEeqEmfY8BiJHkiDDK21GUXiMcv/F+Mk > helR0i1avJlzaIUFEAbrBt1izP/uEKVJ+E4Z0TvzkZ3L7T9ArY2QvypUWACmBH2j > mqz2/dOLoNwuVn+RUQehoCKR7ARIlcPed+pQYWuwa0hWAsR9I6dP1+FqDy0OM/To > vtbcDCJ22+xHCKAKQh55JVMCAwEAAaOCAYMwggF/MAwGA1UdEwEB/wQCMAAwHQYD > VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRoLwXtMxrCYFcN > /4fmxjvBYD6tljAqBgNVHREEIzAhgh9sZGFwLWNsaWVudC5jc2RlLndhc2hpbmd0 > b24uZWR1MIHBBgNVHSMEgbkwgbaAFFXXwTPG+pP4Jz3LIEv1Wo5Yl310oYGapIGX > MIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExITAfBgNVBAoTGFVuaXZlcnNp > dHkgb2YgV2FzaGluZ3RvbjEUMBIGA1UECxMLVVcgU2VydmljZXMxFzAVBgNVBAMT > DlVXIFNlcnZpY2VzIENBMSYwJAYJKoZIhvcNAQkBFhdoZWxwQGNhYy53YXNoaW5n > dG9uLmVkdYIBADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2VydHMuY2FjLndh > c2hpbmd0b24uZWR1L1VXU2VydmljZXNDQS5jcmwwDQYJKoZIhvcNAQELBQADgYEA > oAtYJ+zVsdN258y3JixbIwhPcSreFp3serL2JWUcxOrlttBD4B/zInnYKWv0XKTp > SLbIk6DN4/47WpPsA9sTVZpeaS+NTILwsUEzLp2Bnz9S8gbuLaCTgNgdJAWKsZOR > jhYyx8r2Aptcds3cyVGBdMVN/NHWxAitCHhgYoOKkxc= > -----END CERTIFICATE----- > Issuing: openssl x509 -in ldap-client.csde.washington.edu.pem -noout -enddate > notAfter=Apr 6 00:15:01 2020 GMT -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nslcd depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.60 ii libc6 2.24-10 ii libgssapi-krb5-2 1.15-1 ii libldap-2.4-2 2.4.44+dfsg-4+b1 ii lsb-base 9.20161125 Versions of packages nslcd recommends: ii bind9-host [host] 1:9.10.3.dfsg.P4-12.1 ii ca-certificates 20161130 ii host 1:9.10.3.dfsg.P4-12.1 ii ldap-utils 2.4.44+dfsg-4+b1 ii libnss-ldapd [libnss-ldap] 0.9.7-2 ii libpam-ldapd [libpam-ldap] 0.9.7-2 pn nscd <none> ii nslcd-utils 0.9.7-2 Versions of packages nslcd suggests: pn kstart <none> -- debconf information: nslcd/ldap-bindpw: (password omitted) nslcd/xdm-needs-restart: nslcd/restart-failed: nslcd/ldap-sasl-authcid: nslcd/ldap-auth-type: none nslcd/ldap-reqcert: nslcd/ldap-binddn: nslcd/ldap-sasl-mech: nslcd/ldap-sasl-authzid: nslcd/restart-services: * nslcd/ldap-base: dc=ldi,dc=uw,dc=edu nslcd/ldap-starttls: false nslcd/ldap-sasl-realm: nslcd/ldap-sasl-secprops: nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt nslcd/disable-screensaver: libraries/restart-without-asking: false * nslcd/ldap-uris: ldap://ldi.s.uw.edu nslcd/ldap-cacertfile: /etc/ssl/certs/ca-certificates.crt