The next phase in tidying up my user authentication environment in the lab was to enable SSL/TLS on the z/VM LDAP server I use for my Linux authentication (I’ll discuss the process on the DeveloperWorks blog, and put a link here). Apart from being the right way to do things, LDAP authentication appears to require SSL or TLS in Fedora 15.
After I got the Fedora system working, I thought it would be a good idea to have other systems in the complex using SSL/TLS also. The process was moderately painless on a SLES 10 system, but on the first SLES 11 system I went to YaST froze while saving the changes. I (foolishly) rebooted the image, and it hung during boot. Not fun.
After a couple of attempts to fix up what I thought were the obvious problems (each attempt involving logging off the guest, connecting its disk to another guest, mounting the filesystem, making a change, unmounting and disconnecting, and re-IPLing) with no success, I went into /etc/nsswitch.conf and turned off LDAP for everything I could find. This finally allowed the guest to complete its boot — but I had no LDAP now. I did a test using ldapsearch, which reported it couldn’t reach the LDAP server. I tried to ping the LDAP server by address, which worked. I tried to lookup the hostname of the LDAP server, and name resolution failed with the traditional “no servers could be reached” message. This was odd, as I knew I’d changed it since it was pointing to the wrong DNS server before… I could ping the DNS by address, and another system resolved fine.
I thought it might have been a configuration problem — I had earlier had trouble with systems not being able to do recursive DNS lookups through my DNS server. I went to YaST to configure the DNS Server, and it told me that I had to install the package “bind”. WHAT?!?!? How did the BIND package get uninstalled from the system…
Unless… It’s the wrong system…
I checked /etc/resolv.conf on a working system and sure enough I had the IP address wrong. I was pointing at a server that was NOT my DNS server. Presumably the inability to resolve the name of the LDAP server I was trying to reach is what made the first attempt to enable TLS for LDAP fail in YaST, and whatever preload magic SLES uses to enable LDAP authentication got broken by the failure. Setting the right DNS and re-running the LDAP Client module in YaST not only got LDAP authentication working but got me a bootable system again.
A simple fix in the end, but I’d forgotten the power of the resolver to cause untold and unpredictable havoc. Now, pardon me while I lie in wait for the YaST-haters who will no doubt come out and sledge me… 🙂
Crossed Wires 