Update: I logged this bug further down the stack, as it was also
affecting the "ldap-utils" package (ldapsearch and ldapwhoami also)
I got some feedback that led us to determine that our LDAP server on
CentOS was offering up a LOT of certificate options... scaling those
back made the system including nslcd work again.
the other bug is Bug#861838
Thanks Arthur for the help in getting started on the debugging process
for this.
Matt
On 5/2/17 11:59 AM, Arthur de Jong wrote:
On Thu, 2017-04-27 at 20:25 -0700, Matt Weatherford wrote:
Im sure you have many, many other projects going but I am motivated
to solve this problem - is there anything else I can try on my
side? I've sent you nslcd debug info ... anything else I can do?
Sorry for not replying sooner. Your ldapsearch output shows that at
least the problem is not per se in nss-pam-ldapd ;)
To get more debugging info from nslcd you could specify -d twice when
running nslcd. This also enables extra debugging in libldap which
produces a lot of output but I don't think it will include extra debug
output of the TLS library (GnuTLS on Debian).
For ldapsearch you could try passing -d1 to get debug output. I assume
the ldapsearch in your script works on older versions? From my
experience I think the certificates and keys can only be configured in
a configuration file (e.g. ldaprc in the current directory).
Maybe comparing the debug output from Debian 7 and 9 will provide some
more insights?
One thing that you could try is add the DN to bind as as binddn instead
of leaving it empty. You should probably be able to get the DN from an
ldapwhoami query on older versions of Debian.
Another thing that could help is looking in the server logs to see if
any problem is logged there (it could be a TLS version or cypher-suite
mismatch).
I don't think there should be much issues with how the key, CSR and CRT
are generated. GnuTLS should be able to handle files generated by
OpenSSL file as far as I know. Location of the files should also not be
an issue.
I have not doen client certificate authentication recently and not on
Debian.
