Original thread: http://lists.debian.org/debian-isp/2006/07/msg00007.html A colleague of mine figured this one out: we have ca-certificates installed, and for some reason (yet to be investigated), sshd/su/login/whatever would cause PAM/libnss to enumerate all the certificates and try one after the other -- we're using LDAP over TLS for PAM/libnss. The reason for this were the settings tls_cacertdir /etc/ssl/certs tls_checkpeer yes in /etc/libnss-ldap.conf and /etc/pam_ldap.conf. Setting tls_cacertfile /etc/ssl/certs/ailab_ca.pem instead of tls_cacertdir fixed the issue. I now wonder whether this is a bug in the LDAP clients since the SSL hashes in /etc/ssl/certs exist and could be used to quickly locate the CA certificate the server presented. Thoughts? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Porcupine Tree / Pure Narcotic
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)