Found the problem and solved.
I accidently copied the file /etc/openldap/ldap.conf accidently to under /root account as .ldaprc file and immediately the problem goes away. Read manual again and found that the tls_cert and tls_key are USER_ONLY option!
So now the problem goes away, and sure I'lll change the TLSVerifyClient option back to 'try'. It is of no immediate uses if TLS client authentication is only user-option.
Thanks.
________________________________ From: Robinson Tiemuqinke hahaha_30k@yahoo.com To: CentOS mailing list centos@centos.org Sent: Monday, April 23, 2012 2:42 PM Subject: openldap-server 'TLSVerifyClient demand' fails on centos 6.2?
ldapsearch -x -ZZ works fine on clients, when the server side slapd.conf has 'TLSVerifyClient' is set to 'try'. But after I changed that the 'demand' all clients' "ldapsearch -x -ZZ" command fails immediately. I run the 'slapd -d3' at server side too.
It looks like maybe 'ldapsearch -x -zz' didn't send out client certificates, even though it should with '-ZZ' options -- from ldap.conf manual?
My client side /etc/openldap/ldap.conf is like below:
BASE dc=example,dc=com URI ldap://ldapmaster.example.com
## working TLS_CACERT /etc/openldap/myca.crt TLS_CERT /etc/openldap/ldapclient01.crt TLS_KEY /etc/openldap/ldapclient01.key
My server side setup is:
## now using my own CA ## and it works! TLSCACertificateFile /etc/openldap/myca.crt TLSCertificateFile /etc/openldap/ldapmaster.crt TLSCertificateKeyFile /etc/openldap/ldapmaster.key
#TLSVerifyClient allow TLSVerifyClient demand ## testing client TLS keys and my own CA setup, 'demand' failed for ldapsearch #TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 TLSCipherSuite HIGH:MEDIUM:+SSLv2
The logs on server is attahed below as well, Thanks. ... connection_get(14): got connid=1000 connection_read(14): checking for input on id=1000 TLS: loaded CA certificate file /etc/openldap/myca.crt. TLS: certificate [E=admin@example.com,CN=ldapmaster.example.com,OU=techOps,O=Pegaclouds Inc.,L=San Mateo,ST=CA,C=US] is valid tls_read: want=3, got=3 0000: 16 03 01 ... tls_read: want=2, got=2 0000: 00 41 .A tls_read: want=65, got=65 0000: 01 00 00 3d 03 01 4f 95 c1 e0 a9 10 22 30 25 4b ...=..O....."0%K 0010: f8 da a5 27 64 9e 25 60 35 d0 5c 28 30 74 a8 40 ...'d.%`5.(0t.@ ...
tls_read: want=5 error=Resource temporarily unavailable connection_get(14): got connid=1000 connection_read(14): checking for input on id=1000 tls_read: want=5, got=5 0000: 16 03 01 01 0d ..... tls_read: want=269, got=269 0000: 0b 00 00 03 00 00 00 10 00 01 02 01 00 ac 64 b8 ..............d. 0010: bd bf 20 46 b8 14 e7 38 9a a1 40 2c 36 3a 78 fa .. F...8..@,6:x. 0020: 8a 12 61 3d e3 5e bf 02 f2 f9 a1 70 4e 7f 4e 11 ..a=.^.....pN.N. 0030: cd e6 ba 6d ee 1e 91 95 c7 9f c7 b3 e0 21 ea bb ...m.........!.. 0040: 11 78 cc 58 c1 b1 37 f4 d5 18 ff 59 ad df 48 52 .x.X..7....Y..HR 0050: a7 cd 26 0a fe d8 09 bb 7e 70 16 d2 b7 35 de 9f ..&.....~p...5.. 0060: b3 0a ee 1e aa 42 e4 20 ed 8d 2f 31 f2 5d e9 d7 .....B. ../1.].. 0070: 82 4c 78 30 48 5d 54 5c cf c2 cc c9 33 31 50 c5 .Lx0H]T....31P. 0080: 56 62 f8 ea dd 34 32 ff a1 81 e3 2f f7 a4 0e 58 Vb...42..../...X 0090: ff 84 39 0a fe 74 20 18 a6 ac 18 00 dc 8c 0e fd ..9..t ......... 00a0: 5d 2e a3 87 4e 0b e8 51 66 85 8a 60 2e b7 01 a2 ]...N..Qf..`.... 00b0: 4a 5c d9 74 9b 32 04 16 57 2e f2 60 2d 45 3d 30 J.t.2..W..`-E=0 00c0: e3 39 c9 a3 af 7b 86 4b f0 f0 7e 34 f8 bf cf 4c .9...{.K..~4...L 00d0: 73 57 df e5 11 0a 41 de 7f 78 ed f4 cf 9b e8 10 sW....A..x...... 00e0: ce 1a b1 73 ff 76 ec ff 23 46 85 24 02 b9 aa 4b ...s.v..#F.$...K 00f0: fe c9 2a c6 06 ff 54 94 25 5d cc 3d de 5b 1d 9f ..*...T.%].=.[.. 0100: 03 a1 36 da 3b 69 95 67 21 b5 61 d7 e9 ..6.;i.g!.a.. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 2a ......* TLS: error: accept - force handshake failure: errno 11 - moznss error -12285 TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication.. connection_read(14): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=14 ... --Robinson
________________________________ From: Robinson Tiemuqinke hahaha_30k@yahoo.com To: CentOS mailing list centos@centos.org Sent: Wednesday, November 23, 2011 11:20 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?
I've tried with cr kernel, not it moves much faster but still fails -- fails at the partition failure, this setup is S3 backed image.
root (hd0) Filesystem type is ext2fs, using whole disk kernel /boot/vmlinuz-2.6.32-131.17.1.el6.x86_64 ro root=/dev/sda1 rd_NO_LUKS rd _NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTY PE=pc KEYTABLE=us crashkernel=auto crashkernel=auto initrd /boot/initramfs-2.6.32-131.17.1.el6.x86_64.img
close blk: backend at /local/domain/0/backend/vbd/8/2049 close blk: backend at /local/domain/0/backend/vbd/8/2064 close blk: backend at /local/domain/0/backend/vbd/8/2080 close blk: backend at /local/domain/0/backend/vbd/8/2096 close blk: backend at /local/domain/0/backend/vbd/8/2112 Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.32-131.17.1.el6.x86_64 (mockbuild@c6b5.bsys.dev.centos.org) (gcc version 4.4.5 20110214 (Red Hat 4.4.5-6) (GCC) ) #1 SMP Thu Oct 6 19:24:09 BST 2011 Command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=auto KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls ACPI in unprivileged domain disabled BIOS-provided physical RAM map: Xen: 0000000000000000 - 00000000000a0000 (usable) Xen: 00000000000a0000 - 0000000000100000 (reserved) Xen: 0000000000100000 - 00000001c0000000 (usable) DMI not present or invalid. last_pfn = 0x1c0000 max_arch_pfn = 0x400000000 last_pfn = 0x100000 max_arch_pfn = 0x400000000 init_memory_mapping: 0000000000000000-0000000100000000 init_memory_mapping: 0000000100000000-00000001c0000000 RAMDISK: 02028000 - 0460c000 No NUMA configuration found Faking a node at 0000000000000000-00000001c0000000 Bootmem setup node 0 0000000000000000-00000001c0000000 NODE_DATA [0000000000008000 - 000000000003bfff] bootmap [000000000003c000 - 0000000000073fff] pages 38 (8 early reservations) ==> bootmem [0000000000 - 01c0000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] #1 [000540f000 - 000543e000] XEN PAGETABLES ==> [000540f000 - 000543e000] #2 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000] #3 [0001000000 - 0002007524] TEXT DATA BSS ==> [0001000000 - 0002007524] #4 [0002028000 - 000460c000] RAMDISK ==> [0002028000 - 000460c000] #5 [000460c000 - 000540f000] XEN START INFO ==> [000460c000 - 000540f000] #6 [0000100000 - 00008d3000] PGTABLE ==> [0000100000 - 00008d3000] #7 [000543e000 - 0005a41000] PGTABLE ==> [000543e000 - 0005a41000] Reserving 129MB of memory at 96MB for crashkernel (System RAM: 7168MB) Zone PFN ranges: DMA 0x00000001 -> 0x00001000 DMA32 0x00001000 -> 0x00100000 Normal 0x00100000 -> 0x001c0000 Movable zone start PFN for each node early_node_map[2] active PFN ranges 0: 0x00000001 -> 0x000000a0 0: 0x00000100 -> 0x001c0000 SFI: Simple Firmware Interface v0.7 http://simplefirmware.org SMP: Allowing 8 CPUs, 0 hotplug CPUs No local APIC present APIC: disable apic facility PM: Registered nosave memory: 00000000000a0000 - 0000000000100000 PCI: Warning: Cannot find a gap in the 32bit address range PCI: Unassigned devices with 32bit resource registers may break! Allocating PCI resources starting at 1c0100000 (gap: 1c0100000:400000) Booting paravirtualized kernel on Xen Xen version: 3.4.3-2.6.18 (preserve-AD) NR_CPUS:4096 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:1 PERCPU: Embedded 30 pages/cpu @ffff88002804f000 s92504 r8192 d22184 u122880 pcpu-alloc: s92504 r8192 d22184 u122880 alloc=30*4096 pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 [0] 4 [0] 5 [0] 6 [0] 7 Xen: using vcpu_info placement Built 1 zonelists in Node order, mobility grouping on. Total pages: 1807817 Policy zone: Normal Kernel command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=129M@0M PID hash table entries: 4096 (order: 3, 32768 bytes) Checking aperture... No AGP bridge found AMD-Vi disabled by default: pass amd_iommu=on to enable PCI-DMA: Using software bounce buffering for IO (SWIOTLB) Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000 software IO TLB at phys 0x20000000 - 0x24000000 Memory: 6955572k/7340032k available (5013k kernel code, 388k absent, 384072k reserved, 7291k data, 1232k init) Hierarchical RCU implementation. NR_IRQS:33024 nr_irqs:336 Console: colour dummy device 80x25 console [tty0] enabled console [hvc0] enabled
... TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 17 registered taskstats version 1 XENBUS: Device with no driver: device/vbd/2049 XENBUS: Device with no driver: device/vbd/2064 XENBUS: Device with no driver: device/vbd/2080 XENBUS: Device with no driver: device/vbd/2096 XENBUS: Device with no driver: device/vbd/2112 XENBUS: Device with no driver: device/vif/0 XENBUS: Device with no driver: device/console/0 drivers/rtc/hctosys.c: unable to open rtc device (rtc0) Initalizing network drop monitor service Freeing unused kernel memory: 1232k freed Write protecting the kernel read-only data: 10240k Freeing unused kernel memory: 1112k freed Freeing unused kernel memory: 1796k freed dracut: dracut-004-33.2.el6_0 dracut: rd_NO_LUKS: removing cryptoluks activation dracut: rd_NO_LVM: removing LVM activation device-mapper: uevent: version 1.0.3 device-mapper: ioctl: 4.20.6-ioctl (2011-02-02) initialised: dm-devel@redhat.com udev: starting version 147 dracut: Starting plymouth daemon dracut: rd_NO_DM: removing DM RAID activation dracut: rd_NO_MD: removing MD RAID activation xlblk_init: register_blkdev major: 202 blkfront: xvde1: barriers disabled blkfront: xvdf: barriers disabled xvdf: unknown partition table blkfront: xvdg: barriers disabled xvdg: unknown partition table blkfront: xvdh: barriers disabled xvdh: unknown partition table blkfront: xvdi: barriers disabled xvdi: unknown partition table
Boot has failed, sleeping forever.
________________________________ From: Robinson Tiemuqinke hahaha_30k@yahoo.com To: Johnny Hughes johnny@centos.org Cc: CentOS mailing list centos@centos.org Sent: Wednesday, November 23, 2011 10:48 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?
Hi Johnny,
Thanks a lot. I'll upgrade kernel to the cr repository, and give it a try now.
--Guolin
________________________________ From: Johnny Hughes johnny@centos.org To: centos@centos.org Sent: Wednesday, November 23, 2011 9:55 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?
On 11/23/2011 11:40 AM, Robinson Tiemuqinke wrote:
I tried several ways but still no help. The following are the output (stock Centos 6 2.6.32-71.29.1.el6.x86_64 kernel), grub works fine and it located kernel and initial ramdisk. but kernel booting faied at the very beginning...
Any suggestions are more than appreciated.
--------------------------------------------------
2011-11-23T17:19:21+0000
Xen Minimal OS! start_info: 0x1890000(VA) nr_pages: 0x1e0000 shared_inf: 0xb2cea000(MA) pt_base: 0x1893000(VA) nr_pt_frames: 0x11 mfn_list: 0x990000(VA) mod_start: 0x0(VA) mod_len: 0 flags: 0x0 cmd_line: root=/dev/sda1 ro 4 stack: 0x94f860-0x96f860 MM: Init _text: 0x0(VA) _etext: 0x6000d(VA) _erodata: 0x78000(VA) _edata: 0x80b00(VA) stack start: 0x94f860(VA) _end: 0x98fe68(VA) start_pfn: 18a7 max_pfn: 1e0000 Mapping memory range
0x1c00000 - 0x1e0000000
setting 0x0-0x78000 readonly skipped 0x1000 MM: Initialise page allocator for 27a0000(27a0000)-1e0000000(1e0000000) MM: done Demand map pfns at 1e0001000-21e0001000. Heap resides at 21e0002000-41e0002000. Initialising timer interface Initialising console ... done. gnttab_table mapped at 0x1e0001000. Initialising scheduler Thread "Idle": pointer: 0x21e0002010, stack: 0x36f0000 Initialising xenbus Thread "xenstore": pointer: 0x21e00027c0, stack: 0x3700000 Dummy main: start_info=0x96f960 Thread "main": pointer: 0x21e0002f70, stack: 0x3710000 "main" "root=/dev/sda1" "ro" "4" vbd 2049 is hd0 ******************* BLKFRONT for device/vbd/2049 **********
backend at /local/domain/0/backend/vbd/162/2049 Failed to read
/local/domain/0/backend/vbd/162/2049/feature-barrier.
Failed to read /local/domain/0/backend/vbd/162/2049/feature-flush-cache. 20971520 sectors of 512 bytes
vbd 2064 is hd1 ******************* BLKFRONT for device/vbd/2064 **********
backend at /local/domain/0/backend/vbd/162/2064 Failed to read /local/domain/0/backend/vbd/162/2064/feature-barrier. Failed to read /local/domain/0/backend/vbd/162/2064/feature-flush-cache. 880732160 sectors of 512 bytes
vbd 2080 is hd2 ******************* BLKFRONT for device/vbd/2080 **********
backend at /local/domain/0/backend/vbd/162/2080 Failed to read /local/domain/0/backend/vbd/162/2080/feature-barrier. Failed to read /local/domain/0/backend/vbd/162/2080/feature-flush-cache. 880732160 sectors of 512
bytes
[H[J GNU GRUB version 0.97 (7864320K lower / 0K upper memory)
[m[4;2H+-------------------------------------------------------------------------+[5;2H|[5;76H|[6;2H|[6;76H|[7;2H|[7;76H|[8;2H|[8;76H|[9;2H|[9;76H|[10;2H|[10;76H|[11;2H|[11;76H|[12;2H|[12;76H|[13;2H|[13;76H|[14;2H|[14;76H|[15;2H|[15;76H|[16;2H|[16;76H|[17;2H+-------------------------------------------------------------------------+[m Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, or 'c' for a command-line.[5;78H [m[7m[5;3H CentOS (2.6.32-71.29.1.el6.x86_64) [5;75H[m[m[6;3H
[6;75H[m[m[7;3H [7;75H[m[m[8;3H [8;75H[m[m[9;3H
[9;75H[m[m[10;3H [10;75H[m[m[11;3H [11;75H[m[m[12;3H [12;75H[m[m[13;3H
[13;75H[m[m[14;3H
[14;75H[m[m[15;3H [15;75H[m[m[16;3H
[16;75H[m[16;78H [5;75H[23;4H The highlighted entry will be booted automatically in 5 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 4 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 3 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 2 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 1 seconds. [5;75H[H[J Booting 'CentOS (2.6.32-71.29.1.el6.x86_64)'
root (hd0) Filesystem type is ext2fs, using whole disk
kernel /boot/vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=/dev/sda1 rhgb quiet initrd /boot/initramfs-2.6.32-71.29.1.el6.x86_64.img
close blk: backend at /local/domain/0/backend/vbd/162/2049 close blk:
backend at /local/domain/0/backend/vbd/162/2064
close blk: backend at /local/domain/0/backend/vbd/162/2080 PCI: Warning: Cannot find a gap in the 32bit address range PCI: Unassigned devices with 32bit resource registers may break! PCI: Fatal: No config space access function found
Boot has failed, sleeping forever.
From: Robinson Tiemuqinke hahaha_30k@yahoo.com To: CentOS mailing list centos@centos.org Sent: Tuesday, November 22, 2011 3:35 PM Subject: [CentOS] EC2 compatible kernel for centos 6? Hi all,
I'm just scrambling to collect clues to build an Amazon AWS
AMI based on Centos 6. the AWS PV-GRUB kernel loads my kernel but failed immediately. I'm using stock Centos 6 kernel 2.6.32-71.29.1.el6. and the kernel seems have xen? support? My questions are:
1, Are the centos 6 stock kernels, like kernel-2.6.32-71.29.1.el6.x86_64, EC2 compatible?
2, If the answer to the above #1 question is NO, the are the centos plus kernels, like kernel-2.6.32-71.29.1.el6.centos.plus.x86_64, EC2 compatible?
3, If the answers to both above are 'NO', then Are there any instructions to build a EC2 kernel based on kernel source RPMs?
Any help are greatly appreciated.
--Tie
I do not use amazon services, but does this help:
https://forums.aws.amazon.com/thread.jspa?threadID=78007
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos