Can't speak with certainty about CentOS6 but assuming that it is using sssd somewhat like Fedora you need to concentrate on /etc/sssd/sssd.conf and include ldap_tls_reqcert = never Note that sssd essentially takes the place of padl tools (/etc/ldap.conf) Also note that /etc/openldap/ldap.conf is only for openldap cli client tools such as ldapsearch/ldapmodify/etc. That's why /root/.ldaprc sort of works for you but it is much more logical/consistent to configure sssd.conf properly because that is where daemons should be looking for system configuration information. Craig On Apr 23, 2012, at 3:01 PM, Robinson Tiemuqinke wrote: > Found the problem and solved. > > > I accidently copied the file /etc/openldap/ldap.conf accidently to under /root account as .ldaprc file and immediately the problem goes away. Read manual again and found that the tls_cert and tls_key are USER_ONLY option! > > So now the problem goes away, and sure I'lll change the TLSVerifyClient option back to 'try'. It is of no immediate uses if TLS client authentication is only user-option. > > Thanks. > > > > > ________________________________ > From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> > To: CentOS mailing list <centos at centos.org> > Sent: Monday, April 23, 2012 2:42 PM > Subject: openldap-server 'TLSVerifyClient demand' fails on centos 6.2? > > > ldapsearch -x -ZZ works fine on clients, when the server side slapd.conf has 'TLSVerifyClient' is set to 'try'. But after I changed that the 'demand' all clients' "ldapsearch -x -ZZ" command fails immediately. I run the 'slapd -d3' at server side too. > > It looks like maybe 'ldapsearch -x -zz' didn't send out client certificates, even though it should with '-ZZ' options -- from ldap.conf manual? > > My client side /etc/openldap/ldap.conf is like below: > > BASE dc=example,dc=com > URI ldap://ldapmaster.example.com > > ## working > TLS_CACERT /etc/openldap/myca.crt > TLS_CERT /etc/openldap/ldapclient01.crt > TLS_KEY > /etc/openldap/ldapclient01.key > > > My server side setup is: > > ## now using my own CA > ## and it works! > TLSCACertificateFile /etc/openldap/myca.crt > TLSCertificateFile /etc/openldap/ldapmaster.crt > TLSCertificateKeyFile /etc/openldap/ldapmaster.key > > > #TLSVerifyClient allow > TLSVerifyClient demand ## testing client TLS keys and my own CA setup, 'demand' failed for ldapsearch > #TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > > > The logs on server is attahed below as well, Thanks. > ... > connection_get(14): got connid=1000 > connection_read(14): checking for input on id=1000 > TLS: loaded CA certificate file /etc/openldap/myca.crt. > TLS: certificate [E=admin at example.com,CN=ldapmaster.example.com,OU=techOps,O=Pegaclouds Inc.,L=San Mateo,ST=CA,C=US] is valid > tls_read: want=3, got=3 > 0000: 16 03 01 ... > tls_read: want=2, got=2 > 0000: 00 41 .A > tls_read: want=65, > got=65 > 0000: 01 00 00 3d 03 01 4f 95 c1 e0 a9 10 22 30 25 4b ...=..O....."0%K > 0010: f8 da a5 27 64 9e 25 60 35 d0 5c 28 30 74 a8 40 ...'d.%`5.\(0t.@ > ... > > tls_read: want=5 error=Resource temporarily unavailable > connection_get(14): got connid=1000 > connection_read(14): checking for input on id=1000 > tls_read: want=5, got=5 > 0000: 16 03 01 01 0d ..... > tls_read: want=269, got=269 > 0000: 0b 00 00 03 00 00 00 10 00 01 02 01 00 ac 64 b8 ..............d. > 0010: bd bf 20 46 b8 14 e7 38 9a a1 40 2c 36 3a 78 fa .. F...8..@,6:x. > 0020: 8a 12 61 3d e3 5e bf 02 f2 f9 > a1 70 4e 7f 4e 11 ..a=.^.....pN.N. > 0030: cd e6 ba 6d ee 1e 91 95 c7 9f c7 b3 e0 21 ea bb ...m.........!.. > 0040: 11 78 cc 58 c1 b1 37 f4 d5 18 ff 59 ad df 48 52 .x.X..7....Y..HR > 0050: a7 cd 26 0a fe d8 09 bb 7e 70 16 d2 b7 35 de 9f ..&.....~p...5.. > 0060: b3 0a ee 1e aa 42 e4 20 ed 8d 2f 31 f2 5d e9 d7 .....B. ../1.].. > 0070: 82 4c 78 30 48 5d 54 5c cf c2 cc c9 33 31 50 c5 .Lx0H]T\....31P. > 0080: 56 62 f8 ea dd 34 32 ff a1 81 e3 2f f7 a4 0e 58 Vb...42..../...X > 0090: ff 84 39 0a fe 74 20 18 a6 ac 18 00 dc 8c 0e fd ..9..t ......... > 00a0: 5d 2e a3 87 4e 0b e8 51 66 85 8a 60 2e b7 01 a2 ]...N..Qf..`.... > 00b0: 4a 5c d9 74 9b 32 04 16 57 2e f2 60 2d 45 3d > 30 J\.t.2..W..`-E=0 > 00c0: e3 39 c9 a3 af 7b 86 4b f0 f0 7e 34 f8 bf cf 4c .9...{.K..~4...L > 00d0: 73 57 df e5 11 0a 41 de 7f 78 ed f4 cf 9b e8 10 sW....A..x...... > 00e0: ce 1a b1 73 ff 76 ec ff 23 46 85 24 02 b9 aa 4b ...s.v..#F.$...K > 00f0: fe c9 2a c6 06 ff 54 94 25 5d cc 3d de 5b 1d 9f ..*...T.%].=.[.. > 0100: 03 a1 36 da 3b 69 95 67 21 b5 61 d7 e9 ..6.;i.g!.a.. > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 2a ......* > TLS: error: accept - force handshake failure: errno 11 - moznss error -12285 > TLS: can't accept: TLS > error -12285:Unable to find the certificate or key necessary for authentication.. > connection_read(14): TLS accept failure error=-1 id=1000, closing > connection_close: conn=1000 sd=14 > ... > --Robinson > > > > > > ________________________________ > From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> > To: CentOS mailing list <centos at centos.org> > Sent: Wednesday, November 23, 2011 11:20 AM > Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? > > > I've tried with cr kernel, not it moves much faster but still fails -- fails at the partition failure, this setup is S3 backed image. > > root (hd0) > Filesystem type is ext2fs, using whole disk > kernel /boot/vmlinuz-2.6.32-131.17.1.el6.x86_64 ro root=/dev/sda1 rd_NO_LUKS rd > _NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTY > PE=pc KEYTABLE=us crashkernel=auto crashkernel=auto > initrd /boot/initramfs-2.6.32-131.17.1.el6.x86_64.img > > close blk: backend at /local/domain/0/backend/vbd/8/2049 > close blk: backend at /local/domain/0/backend/vbd/8/2064 > close blk: backend at /local/domain/0/backend/vbd/8/2080 > close blk: backend at /local/domain/0/backend/vbd/8/2096 > close blk: backend at > /local/domain/0/backend/vbd/8/2112 > Initializing cgroup subsys cpuset > Initializing cgroup subsys cpu > Linux version 2.6.32-131.17.1.el6.x86_64 (mockbuild at c6b5.bsys.dev.centos.org) (gcc version 4.4.5 20110214 (Red Hat 4.4.5-6) (GCC) ) #1 SMP Thu Oct 6 19:24:09 BST 2011 > Command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=auto > KERNEL supported cpus: > Intel GenuineIntel > AMD AuthenticAMD > Centaur CentaurHauls > ACPI in unprivileged domain disabled > BIOS-provided physical RAM map: > Xen: 0000000000000000 - 00000000000a0000 (usable) > Xen: 00000000000a0000 - 0000000000100000 (reserved) > Xen: 0000000000100000 - 00000001c0000000 (usable) > DMI not present or invalid. > last_pfn = 0x1c0000 max_arch_pfn = 0x400000000 > last_pfn = 0x100000 max_arch_pfn = > 0x400000000 > init_memory_mapping: 0000000000000000-0000000100000000 > init_memory_mapping: 0000000100000000-00000001c0000000 > RAMDISK: 02028000 - 0460c000 > No NUMA configuration found > Faking a node at 0000000000000000-00000001c0000000 > Bootmem setup node 0 0000000000000000-00000001c0000000 > NODE_DATA [0000000000008000 - 000000000003bfff] > bootmap [000000000003c000 - 0000000000073fff] pages 38 > (8 early reservations) ==> bootmem [0000000000 - 01c0000000] > #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] > #1 [000540f000 - 000543e000] XEN PAGETABLES ==> [000540f000 - 000543e000] > #2 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000] > #3 [0001000000 - 0002007524] TEXT DATA BSS ==> [0001000000 - 0002007524] > #4 [0002028000 - > 000460c000] RAMDISK ==> [0002028000 - 000460c000] > #5 [000460c000 - 000540f000] XEN START INFO ==> [000460c000 - 000540f000] > #6 [0000100000 - 00008d3000] PGTABLE ==> [0000100000 - 00008d3000] > #7 [000543e000 - 0005a41000] PGTABLE ==> [000543e000 - 0005a41000] > Reserving 129MB of memory at 96MB for crashkernel (System RAM: 7168MB) > Zone PFN ranges: > DMA 0x00000001 -> 0x00001000 > DMA32 0x00001000 -> 0x00100000 > Normal 0x00100000 -> 0x001c0000 > Movable zone start PFN for each node > early_node_map[2] active PFN ranges > 0: 0x00000001 -> 0x000000a0 > 0: 0x00000100 -> 0x001c0000 > SFI: Simple Firmware > Interface v0.7 http://simplefirmware.org > SMP: Allowing 8 CPUs, 0 hotplug CPUs > No local APIC present > APIC: disable apic facility > PM: Registered nosave memory: 00000000000a0000 - 0000000000100000 > PCI: Warning: Cannot find a gap in the 32bit address range > PCI: Unassigned devices with 32bit resource registers may break! > Allocating PCI resources starting at 1c0100000 (gap: 1c0100000:400000) > Booting paravirtualized kernel on Xen > Xen version: 3.4.3-2.6.18 (preserve-AD) > NR_CPUS:4096 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:1 > PERCPU: Embedded 30 pages/cpu @ffff88002804f000 s92504 r8192 d22184 u122880 > pcpu-alloc: s92504 r8192 d22184 u122880 alloc=30*4096 > pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 [0] 4 [0] 5 [0] 6 [0] 7 > Xen: using vcpu_info placement > Built 1 zonelists in Node order, mobility grouping on. Total pages: 1807817 > Policy zone: Normal > Kernel command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM > rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=129M at 0M > PID hash table entries: 4096 (order: 3, 32768 bytes) > Checking aperture... > No AGP bridge found > AMD-Vi disabled by default: pass amd_iommu=on to enable > PCI-DMA: Using software bounce buffering for IO (SWIOTLB) > Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000 > software IO TLB at phys 0x20000000 - 0x24000000 > Memory: 6955572k/7340032k available (5013k kernel code, 388k absent, 384072k reserved, 7291k data, 1232k init) > Hierarchical RCU implementation. > NR_IRQS:33024 nr_irqs:336 > Console: colour dummy device 80x25 > console [tty0] enabled > console [hvc0] enabled > > ... > TCP cubic registered > Initializing XFRM netlink socket > NET: Registered protocol family 17 > registered taskstats version 1 > XENBUS: Device with no driver: > device/vbd/2049 > XENBUS: Device with no driver: device/vbd/2064 > XENBUS: Device with no driver: device/vbd/2080 > XENBUS: Device with no driver: device/vbd/2096 > XENBUS: Device with no driver: device/vbd/2112 > XENBUS: Device with no driver: device/vif/0 > XENBUS: Device with no driver: device/console/0 > drivers/rtc/hctosys.c: unable to open rtc device (rtc0) > Initalizing network drop monitor service > Freeing unused kernel memory: 1232k freed > Write protecting the kernel read-only data: 10240k > Freeing unused kernel memory: 1112k freed > Freeing unused kernel memory: 1796k freed > dracut: dracut-004-33.2.el6_0 > dracut: rd_NO_LUKS: removing cryptoluks activation > dracut: rd_NO_LVM: removing LVM activation > device-mapper: uevent: version 1.0.3 > device-mapper: ioctl: 4.20.6-ioctl (2011-02-02) initialised: dm-devel at redhat.com > udev: starting version 147 > dracut: Starting plymouth daemon > dracut: rd_NO_DM: removing DM RAID > activation > dracut: rd_NO_MD: removing MD RAID activation > xlblk_init: register_blkdev major: 202 > blkfront: xvde1: barriers disabled > blkfront: xvdf: barriers disabled > xvdf: > unknown partition table > blkfront: xvdg: barriers disabled > xvdg: unknown partition table > blkfront: xvdh: barriers disabled > xvdh: unknown partition table > blkfront: xvdi: barriers disabled > xvdi: unknown partition table > > Boot has failed, sleeping forever. > > > > > > ________________________________ > From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> > To: Johnny Hughes <johnny at centos.org> > Cc: CentOS mailing list <centos at centos.org> > Sent: Wednesday, November 23, 2011 10:48 AM > Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? > > Hi Johnny, > > Thanks a lot. I'll upgrade kernel to the cr repository, and give it a try now. > > --Guolin > > > ________________________________ > From: Johnny Hughes <johnny at centos.org> > To: centos at centos.org > Sent: Wednesday, November 23, 2011 9:55 AM > Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? > > On 11/23/2011 11:40 AM, Robinson Tiemuqinke wrote: >> I tried several ways but still no help. The following are the output (stock Centos 6 2.6.32-71.29.1.el6.x86_64 kernel), grub works fine and it located kernel and initial ramdisk. but kernel booting faied at the very beginning... >> >> Any suggestions are more than appreciated. >> >> >> > -------------------------------------------------- >> >> > 2011-11-23T17:19:21+0000 >> Xen Minimal OS! >> start_info: 0x1890000(VA) >> nr_pages: 0x1e0000 >> shared_inf: 0xb2cea000(MA) >> pt_base: 0x1893000(VA) >> nr_pt_frames: 0x11 >> mfn_list: 0x990000(VA) >> mod_start: 0x0(VA) >> mod_len: 0 >> flags: 0x0 >> cmd_line: root=/dev/sda1 ro 4 >> stack: 0x94f860-0x96f860 >> MM: Init >> _text: 0x0(VA) >> _etext: 0x6000d(VA) >> _erodata: 0x78000(VA) >> _edata: 0x80b00(VA) >> stack start: 0x94f860(VA) >> _end: 0x98fe68(VA) >> start_pfn: 18a7 >> max_pfn: 1e0000 >> Mapping memory range > 0x1c00000 - 0x1e0000000 >> setting 0x0-0x78000 readonly >> skipped 0x1000 >> MM: Initialise page allocator for 27a0000(27a0000)-1e0000000(1e0000000) >> MM: done >> Demand map pfns at 1e0001000-21e0001000. >> Heap resides at 21e0002000-41e0002000. >> Initialising timer interface >> Initialising console ... done. >> gnttab_table mapped at 0x1e0001000. >> Initialising scheduler >> Thread "Idle": pointer: 0x21e0002010, stack: 0x36f0000 >> Initialising xenbus >> Thread "xenstore": pointer: 0x21e00027c0, stack: 0x3700000 >> Dummy main: start_info=0x96f960 >> Thread "main": pointer: 0x21e0002f70, stack: 0x3710000 >> "main" "root=/dev/sda1" "ro" "4" >> vbd 2049 is hd0 >> ******************* BLKFRONT for device/vbd/2049 ********** >> >> >> backend at /local/domain/0/backend/vbd/162/2049 >> Failed to read > /local/domain/0/backend/vbd/162/2049/feature-barrier. >> Failed to read /local/domain/0/backend/vbd/162/2049/feature-flush-cache. >> 20971520 sectors of 512 bytes >> ************************** >> vbd 2064 is hd1 >> ******************* BLKFRONT for device/vbd/2064 ********** >> >> >> backend at /local/domain/0/backend/vbd/162/2064 >> Failed to read /local/domain/0/backend/vbd/162/2064/feature-barrier. >> Failed to read /local/domain/0/backend/vbd/162/2064/feature-flush-cache. >> 880732160 sectors of 512 bytes >> ************************** >> vbd 2080 is hd2 >> ******************* BLKFRONT for device/vbd/2080 ********** >> >> >> backend at /local/domain/0/backend/vbd/162/2080 >> Failed to read /local/domain/0/backend/vbd/162/2080/feature-barrier. >> Failed to read /local/domain/0/backend/vbd/162/2080/feature-flush-cache. >> 880732160 sectors of 512 > bytes >> ************************** >> [H[J >> GNU GRUB version 0.97 (7864320K lower / 0K upper memory) >> >> [m[4;2H+-------------------------------------------------------------------------+[5;2H|[5;76H|[6;2H|[6;76H|[7;2H|[7;76H|[8;2H|[8;76H|[9;2H|[9;76H|[10;2H|[10;76H|[11;2H|[11;76H|[12;2H|[12;76H|[13;2H|[13;76H|[14;2H|[14;76H|[15;2H|[15;76H|[16;2H|[16;76H|[17;2H+-------------------------------------------------------------------------+[m >> Use the ^ and v keys to select which entry is highlighted. >> Press enter to boot the selected OS, 'e' to edit the >> commands before booting, or 'c' for a command-line.[5;78H [m[7m[5;3H CentOS (2.6.32-71.29.1.el6.x86_64) [5;75H[m[m[6;3H > [6;75H[m[m[7;3H [7;75H[m[m[8;3H [8;75H[m[m[9;3H > >> [9;75H[m[m[10;3H [10;75H[m[m[11;3H [11;75H[m[m[12;3H [12;75H[m[m[13;3H > [13;75H[m[m[14;3H >> [14;75H[m[m[15;3H [15;75H[m[m[16;3H > [16;75H[m[16;78H [5;75H[23;4H The highlighted entry will be booted automatically in 5 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 4 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 3 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 2 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 1 seconds. [5;75H[H[J Booting 'CentOS (2.6.32-71.29.1.el6.x86_64)' >> >> root (hd0) >> Filesystem type is ext2fs, using whole disk >> >> kernel /boot/vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=/dev/sda1 rhgb quiet >> initrd /boot/initramfs-2.6.32-71.29.1.el6.x86_64.img >> >> close blk: backend at /local/domain/0/backend/vbd/162/2049 >> close blk: > backend at /local/domain/0/backend/vbd/162/2064 >> close blk: backend at /local/domain/0/backend/vbd/162/2080 >> PCI: Warning: Cannot find a gap in the 32bit address range >> PCI: Unassigned devices with 32bit resource registers may break! >> PCI: Fatal: No config space access function found >> >> Boot has failed, sleeping forever. >> >> >> >> >> >> >> ________________________________ >> From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> >> To: CentOS mailing list <centos at centos.org> >> Sent: Tuesday, November 22, 2011 3:35 PM >> Subject: [CentOS] EC2 compatible kernel for centos 6? >> >> Hi all, >> >> I'm just scrambling to collect clues to build an Amazon AWS > AMI based on Centos 6. the AWS PV-GRUB kernel loads my kernel but failed immediately. I'm using stock Centos 6 kernel 2.6.32-71.29.1.el6. and the kernel seems have xen? support? My questions are: >> >> 1, Are the centos 6 stock kernels, like kernel-2.6.32-71.29.1.el6.x86_64, EC2 compatible? >> >> 2, If the answer to the above #1 question is NO, the are the centos plus kernels, like kernel-2.6.32-71.29.1.el6.centos.plus.x86_64, EC2 compatible? >> >> 3, If the answers to both above are 'NO', then Are there any instructions to build a EC2 kernel based on kernel source RPMs? >> >> >> Any help are greatly appreciated. >> >> --Tie > > I do not use amazon services, but does this help: > > https://forums.aws.amazon.com/thread.jspa?threadID=78007 > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white at ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help!