Bug#403213: Trouble with SSL and certificates

Fri, 15 Dec 2006 04:08:34 -0800 

Package: libpam-ldap
Version: 178-1sarge3

Seems i finally track down a trouble that i've on using
libnss-ldap/libpam-ldap on sarge.
Server are debian sarge, clients debian sarge or ubuntu (same problem
spotted).

Clients connect to (really, two replicated, but does not matter...) a
openldap server via SSL, using an hand-made ROOTCA certificate.

In client i've setup on /etc/ldap/ldap.conf (openldap libs configuration
file) a simple:

        TLS_CACERTDIR   /etc/ssl/certs

and copied the hand-made root CA to /etc/ssl/certs, doing a c_rehash.

If /etc/ssl/certs contains only mine rootca, or some few (2-3) one,
seems that there's no trouble at all.

But if i install the package ca-certificates, populating /etc/ssl/certs
with many certificates, the system simply 'hung' at 100% cpu load for
every simple account or password access, eg a simple 'getent passwd'
choke completely the system for 4-5 minutes, and a Intel Pentium D!!!
Booting (or shutting down) the box in this setup could take half an
hour!!!

Seems that libnss-ldap/libpam-ldap or openldap lib spend a heavy bounch
of CPU cycle 'enumerating' (in some way) the certificates.

Clearly if i set in /etc/ldap/ldap.conf:

        TLS_CACERT      /etc/ssl/certs/MyROOTCA.pem

(eg, i force the certificate to use) problem desappear, but this is far
than optimal, because in general openldap library domain could be that i
need access some other servers, with a proper CA certs...


The strange thing, and so the bugreport, is that if i explicitly set
the certificate of the CA in libnss-ldap.conf/pam_ldap.conf with:

        tls_cacertfile  /etc/ssl/certs/MyROOTCA.pem

this value are totaly ignored, so i cannot define 'general' certificate
dirs for openldap library (with CACERTDIR in ldap.conf) and specific
certificate for libnss/libpam-ldap (in libnss-ldap.conf/pam_ldap.conf).

libnss-ldap/libpam-ldap are not 'strangely' configured, only debconf
and then manually edited to remove host instance and enable uri
instance as:

        uri ldaps://server1.dom.name/ ldaps://server2.dom.name/

i've tried with only one server, nothing changed.


It is some month, if not years, that i 'turn around' this bugs, i hope
only i'm not missing something...


-- 
dott. Marco Gaiarin                                 GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it      tel +39-0434-842711  fax +39-0434-842797

Reply via email to