[CentOS] Probelm solved -- Re: openldap-server 'TLSVerifyClient demand' fails on centos 6.2?

Mon Apr 23 22:01:08 UTC 2012
Robinson Tiemuqinke <hahaha_30k at yahoo.com>

Found the problem and solved. 


I accidently copied the file /etc/openldap/ldap.conf accidently to under /root account as .ldaprc file and immediately the problem goes away. Read manual again and found that the tls_cert and tls_key are USER_ONLY option!

So now the problem goes away, and sure I'lll change the TLSVerifyClient option back to 'try'. It is of no immediate uses if TLS client authentication is only user-option.

Thanks.




________________________________
 From: Robinson Tiemuqinke <hahaha_30k at yahoo.com>
To: CentOS mailing list <centos at centos.org> 
Sent: Monday, April 23, 2012 2:42 PM
Subject: openldap-server 'TLSVerifyClient demand' fails on centos 6.2?
 

ldapsearch -x -ZZ works fine on clients, when the server side slapd.conf has 'TLSVerifyClient' is set to 'try'. But after I changed that the 'demand' all clients'  "ldapsearch -x -ZZ" command fails immediately. I run the 'slapd -d3' at server side too.

It looks like maybe  'ldapsearch -x -zz' didn't send out client certificates, even though it should with '-ZZ' options -- from ldap.conf manual?

My client side /etc/openldap/ldap.conf is like below:

BASE dc=example,dc=com
URI ldap://ldapmaster.example.com

## working
TLS_CACERT /etc/openldap/myca.crt
TLS_CERT /etc/openldap/ldapclient01.crt
TLS_KEY
 /etc/openldap/ldapclient01.key


My server side setup is:

## now using my own CA
## and it works!
TLSCACertificateFile /etc/openldap/myca.crt
TLSCertificateFile /etc/openldap/ldapmaster.crt
TLSCertificateKeyFile /etc/openldap/ldapmaster.key


#TLSVerifyClient allow
TLSVerifyClient demand   ## testing client TLS keys and my own CA setup, 'demand' failed for ldapsearch
#TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2
TLSCipherSuite HIGH:MEDIUM:+SSLv2


The logs on server is attahed below as well, Thanks.
...
connection_get(14): got connid=1000
connection_read(14): checking for input on id=1000
TLS: loaded CA certificate file /etc/openldap/myca.crt.
TLS: certificate [E=admin at example.com,CN=ldapmaster.example.com,OU=techOps,O=Pegaclouds Inc.,L=San Mateo,ST=CA,C=US] is valid
tls_read: want=3, got=3
  0000:  16 03 01                                           ...
tls_read: want=2, got=2
  0000:  00 41                                              .A
tls_read: want=65,
 got=65
  0000:  01 00 00 3d 03 01 4f 95  c1 e0 a9 10 22 30 25 4b   ...=..O....."0%K
  0010:  f8 da a5 27 64 9e 25 60  35 d0 5c 28 30 74 a8 40   ...'d.%`5.\(0t.@
...

tls_read: want=5 error=Resource temporarily unavailable
connection_get(14): got connid=1000
connection_read(14): checking for input on id=1000
tls_read: want=5, got=5
  0000:  16 03 01 01 0d                                     .....
tls_read: want=269, got=269
  0000:  0b 00 00 03 00 00 00 10  00 01 02 01 00 ac 64 b8   ..............d.
  0010:  bd bf 20 46 b8 14 e7 38  9a a1 40 2c 36 3a 78 fa   .. F...8..@,6:x.
  0020:  8a 12 61 3d e3 5e bf 02  f2 f9
 a1 70 4e 7f 4e 11   ..a=.^.....pN.N.
  0030:  cd e6 ba 6d ee 1e 91 95  c7 9f c7 b3 e0 21 ea bb   ...m.........!..
  0040:  11 78 cc 58 c1 b1 37 f4  d5 18 ff 59 ad df 48 52   .x.X..7....Y..HR
  0050:  a7 cd 26 0a fe d8 09 bb  7e 70 16 d2 b7 35 de 9f   ..&.....~p...5..
  0060:  b3 0a ee 1e aa 42 e4 20  ed 8d 2f 31 f2 5d e9 d7   .....B. ../1.]..
  0070:  82 4c 78 30 48 5d 54 5c  cf c2 cc c9 33 31 50 c5   .Lx0H]T\....31P.
  0080:  56 62 f8 ea dd 34 32 ff  a1 81 e3 2f f7 a4 0e 58   Vb...42..../...X
  0090:  ff 84 39 0a fe 74 20 18  a6 ac 18 00 dc 8c 0e fd   ..9..t .........
  00a0:  5d 2e a3 87 4e 0b e8 51  66 85 8a 60 2e b7 01 a2   ]...N..Qf..`....
  00b0:  4a 5c d9 74 9b 32 04 16  57 2e f2 60 2d 45 3d
 30   J\.t.2..W..`-E=0
  00c0:  e3 39 c9 a3 af 7b 86 4b  f0 f0 7e 34 f8 bf cf 4c   .9...{.K..~4...L
  00d0:  73 57 df e5 11 0a 41 de  7f 78 ed f4 cf 9b e8 10   sW....A..x......
  00e0:  ce 1a b1 73 ff 76 ec ff  23 46 85 24 02 b9 aa 4b   ...s.v..#F.$...K
  00f0:  fe c9 2a c6 06 ff 54 94  25 5d cc 3d de 5b 1d 9f   ..*...T.%].=.[..
  0100:  03 a1 36 da 3b 69 95 67  21 b5 61 d7 e9            ..6.;i.g!.a..
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 2a                               ......*
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS
 error -12285:Unable to find the certificate or key necessary for authentication..
connection_read(14): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=14
...
--Robinson





________________________________
 From: Robinson Tiemuqinke <hahaha_30k at yahoo.com>
To: CentOS mailing list <centos at centos.org> 
Sent: Wednesday, November 23, 2011 11:20 AM
Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?
 

I've tried with cr kernel, not it moves much faster but still fails -- fails at the partition failure, this setup is S3 backed image.

root (hd0)
 Filesystem type is ext2fs, using whole disk
kernel /boot/vmlinuz-2.6.32-131.17.1.el6.x86_64 ro root=/dev/sda1 rd_NO_LUKS rd
_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTY
PE=pc KEYTABLE=us crashkernel=auto crashkernel=auto
initrd /boot/initramfs-2.6.32-131.17.1.el6.x86_64.img

close blk: backend at /local/domain/0/backend/vbd/8/2049
close blk: backend at /local/domain/0/backend/vbd/8/2064
close blk: backend at /local/domain/0/backend/vbd/8/2080
close blk: backend at /local/domain/0/backend/vbd/8/2096
close blk: backend at
 /local/domain/0/backend/vbd/8/2112
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Linux version 2.6.32-131.17.1.el6.x86_64 (mockbuild at c6b5.bsys.dev.centos.org) (gcc version 4.4.5 20110214 (Red Hat 4.4.5-6) (GCC) ) #1 SMP Thu Oct 6 19:24:09 BST 2011
Command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=auto
KERNEL supported cpus:
  Intel GenuineIntel
  AMD AuthenticAMD
  Centaur CentaurHauls
ACPI in unprivileged domain disabled
BIOS-provided physical RAM map:
 Xen: 0000000000000000 - 00000000000a0000 (usable)
 Xen: 00000000000a0000 - 0000000000100000 (reserved)
 Xen: 0000000000100000 - 00000001c0000000 (usable)
DMI not present or invalid.
last_pfn = 0x1c0000 max_arch_pfn = 0x400000000
last_pfn = 0x100000 max_arch_pfn =
 0x400000000
init_memory_mapping: 0000000000000000-0000000100000000
init_memory_mapping: 0000000100000000-00000001c0000000
RAMDISK: 02028000 - 0460c000
No NUMA configuration found
Faking a node at 0000000000000000-00000001c0000000
Bootmem setup node 0 0000000000000000-00000001c0000000
  NODE_DATA [0000000000008000 - 000000000003bfff]
  bootmap [000000000003c000 -  0000000000073fff] pages 38
(8 early reservations) ==> bootmem [0000000000 - 01c0000000]
  #0 [0000000000 - 0000001000]   BIOS data page ==> [0000000000 - 0000001000]
  #1 [000540f000 - 000543e000]   XEN PAGETABLES ==> [000540f000 - 000543e000]
  #2 [0000006000 - 0000008000]       TRAMPOLINE ==> [0000006000 - 0000008000]
  #3 [0001000000 - 0002007524]    TEXT DATA BSS ==> [0001000000 - 0002007524]
  #4 [0002028000 -
 000460c000]          RAMDISK ==> [0002028000 - 000460c000]
  #5 [000460c000 - 000540f000]   XEN START INFO ==> [000460c000 - 000540f000]
  #6 [0000100000 - 00008d3000]          PGTABLE ==> [0000100000 - 00008d3000]
  #7 [000543e000 - 0005a41000]          PGTABLE ==> [000543e000 - 0005a41000]
Reserving 129MB of memory at 96MB for crashkernel (System RAM: 7168MB)
Zone PFN ranges:
  DMA      0x00000001 -> 0x00001000
  DMA32    0x00001000 -> 0x00100000
  Normal   0x00100000 -> 0x001c0000
Movable zone start PFN for each node
early_node_map[2] active PFN ranges
    0: 0x00000001 -> 0x000000a0
    0: 0x00000100 -> 0x001c0000
SFI: Simple Firmware
 Interface v0.7 http://simplefirmware.org
SMP: Allowing 8 CPUs, 0 hotplug CPUs
No local APIC present
APIC: disable apic facility
PM: Registered nosave memory: 00000000000a0000 - 0000000000100000
PCI: Warning: Cannot find a gap in the 32bit address range
PCI: Unassigned devices with 32bit resource registers may break!
Allocating PCI resources starting at 1c0100000 (gap: 1c0100000:400000)
Booting paravirtualized kernel on Xen
Xen version: 3.4.3-2.6.18 (preserve-AD)
NR_CPUS:4096 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:1
PERCPU: Embedded 30 pages/cpu @ffff88002804f000 s92504 r8192 d22184 u122880
pcpu-alloc: s92504 r8192 d22184 u122880 alloc=30*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 [0] 4 [0] 5 [0] 6 [0] 7 
Xen: using vcpu_info placement
Built 1 zonelists in Node order, mobility grouping on.  Total pages: 1807817
Policy zone: Normal
Kernel command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM
 rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=129M at 0M
PID hash table entries: 4096 (order: 3, 32768 bytes)
Checking aperture...
No AGP bridge found
AMD-Vi disabled by default: pass amd_iommu=on to enable
PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000
software IO TLB at phys 0x20000000 - 0x24000000
Memory: 6955572k/7340032k available (5013k kernel code, 388k absent, 384072k reserved, 7291k data, 1232k init)
Hierarchical RCU implementation.
NR_IRQS:33024 nr_irqs:336
Console: colour dummy device 80x25
console [tty0] enabled
console [hvc0] enabled

...
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 17
registered taskstats version 1
XENBUS: Device with no driver:
 device/vbd/2049
XENBUS: Device with no driver: device/vbd/2064
XENBUS: Device with no driver: device/vbd/2080
XENBUS: Device with no driver: device/vbd/2096
XENBUS: Device with no driver: device/vbd/2112
XENBUS: Device with no driver: device/vif/0
XENBUS: Device with no driver: device/console/0
drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
Initalizing network drop monitor service
Freeing unused kernel memory: 1232k freed
Write protecting the kernel read-only data: 10240k
Freeing unused kernel memory: 1112k freed
Freeing unused kernel memory: 1796k freed
dracut: dracut-004-33.2.el6_0
dracut: rd_NO_LUKS: removing cryptoluks activation
dracut: rd_NO_LVM: removing LVM activation
device-mapper: uevent: version 1.0.3
device-mapper: ioctl: 4.20.6-ioctl (2011-02-02) initialised: dm-devel at redhat.com
udev: starting version 147
dracut: Starting plymouth daemon
dracut: rd_NO_DM: removing DM RAID
 activation
dracut: rd_NO_MD: removing MD RAID activation
xlblk_init: register_blkdev major: 202 
blkfront: xvde1: barriers disabled
blkfront: xvdf: barriers disabled
 xvdf:
 unknown partition table
blkfront: xvdg: barriers disabled
 xvdg: unknown partition table
blkfront: xvdh: barriers disabled
 xvdh: unknown partition table
blkfront: xvdi: barriers disabled
 xvdi: unknown partition table

Boot has failed, sleeping forever.





________________________________
 From: Robinson Tiemuqinke <hahaha_30k at yahoo.com>
To: Johnny Hughes <johnny at centos.org> 
Cc: CentOS mailing list <centos at centos.org> 
Sent: Wednesday, November 23, 2011 10:48 AM
Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?
 
Hi Johnny,

 Thanks a lot. I'll upgrade kernel to the cr repository, and give it a try now.

--Guolin


________________________________
From: Johnny Hughes <johnny at centos.org>
To: centos at centos.org 
Sent: Wednesday, November 23, 2011 9:55 AM
Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6?

On 11/23/2011 11:40 AM, Robinson Tiemuqinke wrote:
> I tried several ways but still no help. The following are the output (stock Centos 6 2.6.32-71.29.1.el6.x86_64 kernel), grub works fine and it located kernel and initial ramdisk. but kernel booting faied at the very beginning...
> 
> Any suggestions are more than appreciated.
> 
> 
>
 --------------------------------------------------
> 
>
 2011-11-23T17:19:21+0000
> Xen Minimal OS!
>   start_info: 0x1890000(VA)
>     nr_pages: 0x1e0000
>   shared_inf: 0xb2cea000(MA)
>      pt_base: 0x1893000(VA)
> nr_pt_frames: 0x11
>     mfn_list: 0x990000(VA)
>    mod_start: 0x0(VA)
>      mod_len: 0
>        flags: 0x0
>     cmd_line: root=/dev/sda1 ro 4
>   stack:      0x94f860-0x96f860
> MM: Init
>       _text: 0x0(VA)
>      _etext: 0x6000d(VA)
>    _erodata: 0x78000(VA)
>      _edata: 0x80b00(VA)
> stack start: 0x94f860(VA)
>        _end: 0x98fe68(VA)
>   start_pfn: 18a7
>     max_pfn: 1e0000
> Mapping memory range
 0x1c00000 - 0x1e0000000
> setting 0x0-0x78000 readonly
> skipped 0x1000
> MM: Initialise page allocator for 27a0000(27a0000)-1e0000000(1e0000000)
> MM: done
> Demand map pfns at 1e0001000-21e0001000.
> Heap resides at 21e0002000-41e0002000.
> Initialising timer interface
> Initialising console ... done.
> gnttab_table mapped at 0x1e0001000.
> Initialising scheduler
> Thread "Idle": pointer: 0x21e0002010, stack: 0x36f0000
> Initialising xenbus
> Thread "xenstore": pointer: 0x21e00027c0, stack: 0x3700000
> Dummy main: start_info=0x96f960
> Thread "main": pointer: 0x21e0002f70, stack: 0x3710000
> "main" "root=/dev/sda1" "ro" "4" 
> vbd 2049 is hd0
> ******************* BLKFRONT for device/vbd/2049 **********
> 
> 
> backend at /local/domain/0/backend/vbd/162/2049
> Failed to read
 /local/domain/0/backend/vbd/162/2049/feature-barrier.
> Failed to read /local/domain/0/backend/vbd/162/2049/feature-flush-cache.
> 20971520 sectors of 512 bytes
> **************************
> vbd 2064 is hd1
> ******************* BLKFRONT for device/vbd/2064 **********
> 
> 
> backend at /local/domain/0/backend/vbd/162/2064
> Failed to read /local/domain/0/backend/vbd/162/2064/feature-barrier.
> Failed to read /local/domain/0/backend/vbd/162/2064/feature-flush-cache.
> 880732160 sectors of 512 bytes
> **************************
> vbd 2080 is hd2
> ******************* BLKFRONT for device/vbd/2080 **********
> 
> 
> backend at /local/domain/0/backend/vbd/162/2080
> Failed to read /local/domain/0/backend/vbd/162/2080/feature-barrier.
> Failed to read /local/domain/0/backend/vbd/162/2080/feature-flush-cache.
> 880732160 sectors of 512
 bytes
> **************************
> [H[J
>     GNU GRUB  version 0.97  (7864320K lower / 0K upper memory)
> 
> [m[4;2H+-------------------------------------------------------------------------+[5;2H|[5;76H|[6;2H|[6;76H|[7;2H|[7;76H|[8;2H|[8;76H|[9;2H|[9;76H|[10;2H|[10;76H|[11;2H|[11;76H|[12;2H|[12;76H|[13;2H|[13;76H|[14;2H|[14;76H|[15;2H|[15;76H|[16;2H|[16;76H|[17;2H+-------------------------------------------------------------------------+[m
>     Use the ^ and v keys to select which entry is highlighted.
>     Press enter to boot the selected OS, 'e' to edit the
>     commands before booting, or 'c' for a command-line.[5;78H [m[7m[5;3H CentOS (2.6.32-71.29.1.el6.x86_64)                                      [5;75H[m[m[6;3H     
                                                                    [6;75H[m[m[7;3H                                                                         [7;75H[m[m[8;3H                                                                         [8;75H[m[m[9;3H                                               
                         
>  [9;75H[m[m[10;3H                                                                         [10;75H[m[m[11;3H                                                                         [11;75H[m[m[12;3H                                                                         [12;75H[m[m[13;3H       
                                                                  [13;75H[m[m[14;3H                                                                        
>  [14;75H[m[m[15;3H                                                                         [15;75H[m[m[16;3H                                             
                            [16;75H[m[16;78H [5;75H[23;4H The highlighted entry will be booted automatically in 5 seconds.   [5;75H[23;4H The highlighted entry will be booted automatically in 4 seconds.   [5;75H[23;4H The highlighted entry will be booted automatically in 3 seconds.   [5;75H[23;4H The highlighted entry will be booted automatically in 2 seconds.   [5;75H[23;4H The highlighted entry will be booted automatically in 1 seconds.   [5;75H[H[J  Booting 'CentOS (2.6.32-71.29.1.el6.x86_64)'
> 
> root (hd0)
>  Filesystem type is ext2fs, using whole disk
> 
> kernel /boot/vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=/dev/sda1 rhgb quiet 
> initrd /boot/initramfs-2.6.32-71.29.1.el6.x86_64.img
> 
> close blk: backend at /local/domain/0/backend/vbd/162/2049
> close blk:
 backend at /local/domain/0/backend/vbd/162/2064
> close blk: backend at /local/domain/0/backend/vbd/162/2080
> PCI: Warning: Cannot find a gap in the 32bit address range
> PCI: Unassigned devices with 32bit resource registers may break!
> PCI: Fatal: No config space access function found
> 
> Boot has failed, sleeping forever.
> 
> 
> 
> 
> 
> 
> ________________________________
>  From: Robinson Tiemuqinke <hahaha_30k at yahoo.com>
> To: CentOS mailing list <centos at centos.org> 
> Sent: Tuesday, November 22, 2011 3:35 PM
> Subject: [CentOS] EC2 compatible kernel for centos 6?
>  
> Hi all,
> 
>  I'm just scrambling to collect clues to build an Amazon AWS
 AMI based on Centos 6. the AWS PV-GRUB kernel loads my kernel but failed immediately. I'm using stock Centos 6 kernel 2.6.32-71.29.1.el6. and the kernel seems have xen? support? My questions are:
> 
>  1, Are the centos 6 stock kernels, like kernel-2.6.32-71.29.1.el6.x86_64, EC2 compatible?
> 
>  2, If the answer to the above #1 question is NO, the are the centos plus kernels, like kernel-2.6.32-71.29.1.el6.centos.plus.x86_64, EC2 compatible?
> 
>  3, If the answers to both above are 'NO', then Are there any instructions to build a EC2 kernel based on kernel source RPMs? 
> 
> 
> Any help are greatly appreciated.
> 
> --Tie

I do not use amazon services, but does this help:

https://forums.aws.amazon.com/thread.jspa?threadID=78007



_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos