Bug#807922: slapd: Unable to use olcTLSVerifyClient

Sat, 30 Jul 2016 17:48:23 -0700 

At the moment, I think this behaviour is intentional and by design.


First, I would note that this only happens when you haven't performed
the minimal TLS configuration yet:


It's not by design.  If it is, someone needs the Kay Sievers treatment.

1) As I told you a few weeks ago, OpenLDAP build is broke.
2) GnuTLS sucks the royal spoon.
3) "Upstream" stops at Debian.
4) There are even broken password settings (in another bug report, called "a minor 
bug"  )...

LAST BUT NOT LEAST, COMPOUNDING THE PROBLEMS -- there are even mismatches 
between various packages:
1)  NSSWITCH.
2)  PAM
3)  OpenLDAP.

libnss_ldap.secret
ldap.secret
pam_ldap.secret.

NUTS.

That's why I build my own OpenLDAP... and I have flawless programs and scripts 
to do it.  However, every version of Debian seems to break my code.

Sievers Situation.

I build my own, now.  But, Now I've even got to redo LIBNSS AND PAM, TOO!!!  
Before long, I'll have my own distro????

Ridiculous.  As I also said before, testing is imperative.  I'll withhold my 
"Torvald's response."



On Mon, 14 Dec 2015 15:05:22 +0100 Obspm <albert.s...@obspm.fr> wrote:
> Package: slapd
> Version: 2.4.40+dfsg-1+deb8u1
> Severity: important
>
>
> Hi everyone.
>
> >From a fresh install (the server is a virtual machine with VirtualBox), after basic configuration of slapd, without any configuration other than those make by apt-get, with no special data I can add this piece of ldif 
>
> dn: cn=config
> changeType: modify
> add: olcTLSVerifyClient
> olcTLSVerifyClient: never
> -
>
> I always got a
>
> root@debian:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f toto.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "cn=config"
> ldap_modify: Server is unwilling to perform (53)
>
> and the debug file containt (with LogLevel:1)
>
> Dec 14 15:04:12 debian slapd[3597]: slap_listener_activate(11):
> Dec 14 15:04:12 debian slapd[3597]: >>> slap_listener(ldapi:///)
> Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
> Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on id=1031 
> Dec 14 15:04:12 debian slapd[3597]: op tag 0x60, time 1450101852
> Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=0 do_bind
> Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <>
> Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
> Dec 14 15:04:12 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
> Dec 14 15:04:12 debian slapd[3597]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN > Dec 14 15:04:12 debian slapd[3597]: <==slap_sasl2dn: Converted SASL name to <nothing> > Dec 14 15:04:12 debian slapd[3597]: SASL Authorize [conn=1031]: proxy authorization allowed authzDN="" 
> Dec 14 15:04:12 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
> Dec 14 15:04:12 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0 > Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=1 tag=97 err=0 
> Dec 14 15:04:12 debian slapd[3597]: <== slap_sasl_bind: rc=0
> Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
> Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on id=1031 
> Dec 14 15:04:12 debian slapd[3597]: op tag 0x66, time 1450101852
> Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=1 do_modify
> Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
> Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, <cn=config> > Dec 14 15:04:12 debian slapd[3597]: oc_check_required entry (cn=config), objectClass "olcGlobal" 
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "objectClass"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "cn"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcArgsFile"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcPidFile"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcToolThreads" > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "structuralObjectClass" 
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryUUID"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "creatorsName"
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "createTimestamp" > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcConnMaxPending" 
> Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcLogLevel"

Reply via email to