Dax Kelson <[EMAIL PROTECTED]>: > I'm having a problem where two RHL7.2 LDAP clients out of many don't > authenticate against an OpenLDAP server. They are using starttls to > connect to the server. The chain is sshd -> pam_ldap -> openldap -> > OpenSSL. > > In openldap-2.0.21/libraries/libldap/tls.c line ~625 > > err = SSL_connect( ssl ); > > If the failing client is "slightly bogged down by ltracing the sshd > process", then err == 1 (sucess), otherwise err == 0 (failure), [...]
> Details: > > pam_ldap.so calls ldap_start_tls_s. I tracked that down to: > > openldap-2.0.21/libraries/libldap/tls.c > > Eventually the ldap_int_tls_connect function is called. > > The important lines from this function are the OpenSSL functions: > > ssl = alloc_handle( ctx ); (creates ssl handle) > err = SSL_connect( ssl ); SSL_connect() returning 0 indicates that a read attempt for the underlying channel returned 0, which usually stands for EOF. If libldap uses sockets for I/O, you should watch the actual socket operations to see what is going on. Take a look at the call to readsocket() in crypto/bio/bss_sock.s (readsocket() is actually read() on Unix platforms, see e_os.h). -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]