RE: TLS w/LDAP

Sun, 31 May 2009 11:16:50 -0700 

Thanks for the help, all;

The (handy) 'set -x' in the /etc/profile did show the culprit:

+ for i in '/etc/profile.d/*.sh'
+ '[' -r /etc/profile.d/krb5-workstation.sh ']'
+ . /etc/profile.d/krb5-workstation.sh
++ echo /usr/local/bin:/bin:/usr/bin
++ /bin/grep -q /usr/kerberos/bin
++ PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin
++ echo /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin
++ /bin/grep -q /usr/kerberos/sbin
++ '[' = 0 ']'
-bash: [: =: unary operator expected


Thanks,
John



> -----Original Message-----
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Dave Stoddard
> Sent: Saturday, May 30, 2009 10:12 AM
> To: openssl-users@openssl.org
> Subject: RE: TLS w/LDAP
> 
> If you add "set -x" to the top of your script, you can see
> the script execute line by line to locate the source of the
> error.
> 
> Dave
> 
> -----Original Message-----
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of John Kane
> Sent: Saturday, May 30, 2009 12:53 AM
> To: openssl-users@openssl.org
> Subject: RE: TLS w/LDAP
> 
> Thanks for the response, Kyle.
> 
> I've pretty much deduced what the error is, but just cannot figure out
> where it is coming from.  It only happens when I turn on TLS for LDAP.
> There are really no 'variables' defined in the LDAP configs; nothing
> using the '[ "$blah" = blahblah ] syntax....that is why I turned to
> this list hoping to find what other file (non-ldap) might be read ONLY
> when I had the 'ssl start_tls' set in my ldap config.
> 
> John
> 
> 
> > -----Original Message-----
> > From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> > us...@openssl.org] On Behalf Of Kyle Hamilton
> > Sent: Friday, May 29, 2009 10:19 PM
> > To: openssl-users@openssl.org
> > Subject: Re: TLS w/LDAP
> >
> > That's an error in the script you're launching at startup.  I don't
> > know what it is, but I'd bet there's an unquoted '[' character
> > somewhere that is only evaluated when TLS LDAP is enabled.  (see the
> > '-bash: ' at the beginning of the line?  That tells you that bash is
> > generating the error message.)
> >
> > -Kyle H
> >
> > On Fri, May 29, 2009 at 1:34 PM, John Kane
> > <john.k...@prodeasystems.com> wrote:
> > > I just turned on TLS on my LDAP (per instructions on
> > > http://www.openldap.org/faq/data/cache/185.html).  Now all of my
> > Linux
> > > servers give the following error on login:
> > >
> > > -bash: [: =: unary operator expected
> > >
> > > The error goes away when I turn TLS back off.  I cannot determine
> > what
> > > is causing this error, or even which file contains the error.  I've
> > gone
> > > through my LDAP config file, cannot find an issue in any of these.
> > >
> > > Other than my cacert.pem, and the LDAP config files, are there
> other
> > > files that are read only when TLS is turned on?
> > >
> > > Thanks,
> > > John
> > >
> > > ++++ Here's my configs ++++
> > >
> > > I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss
> > > file):
> > >
> > >        ssl start_tls
> > >        tls_checkpeer yes
> > >        tls_cacertfile /etc/openldap/cacerts/cacert.pem
> > >        tls_cacertdir /etc/openldap/cacerts/
> > >
> > >
> > > and have the following in my /etc/openldap/ldap.conf (openldap
> file):
> > >
> > >        HOST 172.25.3.97
> > >        BASE dc=example,dc=net
> > >        TLS_CACERTDIR /etc/openldap/cacerts/
> > >        TLS_REQCERT allow
> > >
> > > and my (self-signed) cacert:
> > >
> > > [r...@serverx cacerts]# openssl x509 -text -in
> > > /etc/openldap/cacerts/cacert.pem
> > > Certificate:
> > >    Data:
> > >        Version: 3 (0x2)
> > >        Serial Number: 0 (0x0)
> > >        Signature Algorithm: sha1WithRSAEncryption
> > >        Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
> > CN=Integration
> > > Root CA/emailaddress=john.sm...@myco.com
> > >        Validity
> > >            Not Before: May 28 04:37:13 2009 GMT
> > >            Not After : May 27 04:37:13 2012 GMT
> > >        Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
> > CN=Integration
> > > Root CA/emailaddress=john.sm...@myco.com
> > >        Subject Public Key Info:
> > >            Public Key Algorithm: rsaEncryption
> > >            RSA Public Key: (1024 bit)
> > >                Modulus (1024 bit):
> > >                    00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81:
> > >                    6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88:
> > >                    11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16:
> > >                    08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7:
> > >                    19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad:
> > >                    59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0:
> > >                    cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c:
> > >                    f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96:
> > >                    b0:69:39:e1:e6:1a:bd:9e:0d
> > >                Exponent: 65537 (0x10001)
> > >        X509v3 extensions:
> > >            X509v3 Basic Constraints:
> > >                CA:FALSE
> > >            Netscape Comment:
> > >                OpenSSL Generated Certificate
> > >            X509v3 Subject Key Identifier:
> > >
> > > 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C
> > >            X509v3 Authority Key Identifier:
> > >
> > > keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C
> > >
> > >    Signature Algorithm: sha1WithRSAEncryption
> > >        28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d:
> > >        9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c:
> > >        c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0:
> > >        4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1:
> > >        3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f:
> > >        67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87:
> > >        63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86:
> > >        7a:d4
> > > -----BEGIN CERTIFICATE-----
> > > MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx
> > > DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT
> > > aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN
> > > AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz
> > > WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz
> > > MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD
> > > ExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcNAQkBFhtqb2huLmthbmVA
> > > cHJvZGVhc3lzdGVtcy5jb20wgZ8wDQYJKoZIhvcNAQE1BQADgY0AMIGJAoGBALO/
> > > 8BhdflcKzhU8KCqBbebFMZh+xAkD0ijyMz6IEV994RgzNX31+p2JqJUWCACBCCms
> > > N7OxK/MgUhXXGUSSnEXnLlj+fgfUH1qtWZE3hBSoTd9UomJmOJvwz0gBaA06fJOD
> > > AkjgdqFc+QU7SR4Dmv3q7nn3h2aWsGl54eYavZ4NAgMBAAGjezB5MAkGA1UdEwQC
> > > MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
> > > MB0GA1UdDgQWBBQL+30LDRejzXkCo6OSVxVv3jgHPfAfBgNVHSMEGDAWgBQL+30L
> > > DRejzXkCo6OSVxVv3jgHPDANBgkqhkiG9w0BAQUFAAOBgQAoUj2ckOGJANedOwam
> > > MijowI2dWgt5uxrJGo3GOqXsXUyfIEzGHkHffdD8RQkrS3z/OKrqM6BKvnyEfFjo
> > > mJ7JDktbEcYohLE/uzAD9jhAny0yvDqXuG/9qp9npicHU7JAQYa3AvJrB28bdIdo
> > > OxuJEwjLNvA8O17W3+ORGYZ61A==
> > > -----END CERTIFICATE-----
> > >
> > >
> > >
> > >
> > >
> > > This message is confidential to Prodea Systems, Inc unless
> otherwise
> > indicated
> > > or apparent from its nature. This message is directed to the
> intended
> > recipient
> > > only, who may be readily determined by the sender of this message
> and
> > its
> > > contents. If the reader of this message is not the intended
> > recipient, or an
> > > employee or agent responsible for delivering this message to the
> > intended
> > > recipient:(a)any dissemination or copying of this message is
> strictly
> > > prohibited; and(b)immediately notify the sender by return message
> and
> > destroy
> > > any copies of this message in any form(electronic, paper or
> > otherwise) that you
> > > have.The delivery of this message and its information is neither
> > intended to be
> > > nor constitutes a disclosure or waiver of any trade secrets,
> > intellectual
> > > property, attorney work product, or attorney-client communications.
> > The
> > > authority of the individual sending this message to legally bind
> > Prodea Systems
> > > is neither apparent nor implied,and must be independently verified.
> > >
> >
> ______________________________________________________________________
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing List                    openssl-
> > us...@openssl.org
> > > Automated List Manager
> > majord...@openssl.org
> > >
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List                    openssl-
> us...@openssl.org
> > Automated List Manager
> majord...@openssl.org
> 
> 
> 
> This message is confidential to Prodea Systems, Inc unless otherwise
> indicated
> or apparent from its nature. This message is directed to the intended
> recipient
> only, who may be readily determined by the sender of this message and
> its
> contents. If the reader of this message is not the intended recipient,
> or an
> employee or agent responsible for delivering this message to the
> intended
> recipient:(a)any dissemination or copying of this message is strictly
> prohibited; and(b)immediately notify the sender by return message and
> destroy
> any copies of this message in any form(electronic, paper or otherwise)
> that you
> have.The delivery of this message and its information is neither
> intended to be
> nor constitutes a disclosure or waiver of any trade secrets,
> intellectual
> property, attorney work product, or attorney-client communications. The
> authority of the individual sending this message to legally bind Prodea
> Systems
> is neither apparent nor implied,and must be independently
> verified.�����������������������������������������������������zt�,���-
> ��i�������_�,z����+�Ƣ�)�.+-�������ǫ��)z{,��+�
> ��f�y������f���h�����_�
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems 
 
is neither apparent nor implied,and must be independently 
verified.:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���

Reply via email to