Package: libnss-ldapd Version: 0.6.8 Severity: normal I can confirm that the bug is more serious that just "tls_reqcert never" not working. We have here an openldap server with a self-signed certificate. Lenny clients with version 0.6.7 connect using tls without any problem. The relevant part of the nss-ldapd.conf file reads: ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/certs/bccnca.pem
On a sid client with version 0.6.8 "ssl start_tls" does not work. The relevant part of the nss-ldapd.conf file reads: ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/bccnca.pem A debug session looking up a valid user on a working lenny client: nslcd: DEBUG: add_uri(ldap://ldap1) nslcd: DEBUG: add_uri(ldap://ldap2) nslcd: /etc/nss-ldapd.conf:30: option tls_checkpeer is currently untested (please report any successes) nslcd: /etc/nss-ldapd.conf:31: option tls_cacertfile is currently untested (please report any successes) nslcd: version 0.6.7 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(120) done nslcd: DEBUG: setuid(113) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=12401 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tiziano) nslcd: [8b4567] DEBUG: myldap_search(base="dc=bccn-berlin,dc=de", filter="(&(objectClass=posixAccount)(uid=tiziano))") nslcd: [8b4567] DEBUG: simple anonymous bind to ldap://ldap1 nslcd: [8b4567] connected to LDAP server ldap://ldap1 nslcd: [8b4567] DEBUG: ldap_result(): end of results nslcd: [7b23c6] DEBUG: connection from pid=12401 uid=0 gid=0 nslcd: [7b23c6] DEBUG: nslcd_passwd_byuid(2061) [...] A debug session looking up the same user on the broken sid client with tls enabled: nslcd: DEBUG: add_uri(ldap://ldap1) nslcd: DEBUG: add_uri(ldap://ldap2) nslcd: /etc/nss-ldapd.conf:30: option tls_reqcert is currently untested (please report any successes) nslcd: /etc/nss-ldapd.conf:31: option tls_cacertfile is currently untested (please report any successes) nslcd: version 0.6.8 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(122) done nslcd: DEBUG: setuid(112) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=22112 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tiziano) nslcd: [8b4567] DEBUG: myldap_search(base="dc=bccn-berlin,dc=de", filter="(&(objectClass=posixAccount)(uid=tiziano))") nslcd: [8b4567] ldap_start_tls_s() failed: Connect error: No such file or directory nslcd: [8b4567] failed to bind to LDAP server ldap://ldap1: Connect error: No such file or directory nslcd: [8b4567] ldap_start_tls_s() failed: Connect error: Success nslcd: [8b4567] failed to bind to LDAP server ldap://ldap2: Connect error: Success nslcd: [8b4567] no available LDAP server found, sleeping 1 seconds nslcd: [8b4567] no available LDAP server found [...] A debug session looking up the same user on the same broken sid client this time with tls disabled: nslcd: DEBUG: add_uri(ldap://ldap1) nslcd: DEBUG: add_uri(ldap://ldap2) nslcd: version 0.6.8 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file o r directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(122) done nslcd: DEBUG: setuid(112) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=22121 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(tiziano) nslcd: [8b4567] DEBUG: myldap_search(base="dc=bccn-berlin,dc=de", filter="(&(obj ectClass=posixAccount)(uid=tiziano))") nslcd: [8b4567] DEBUG: simple anonymous bind to ldap://ldap1 nslcd: [8b4567] connected to LDAP server ldap://ldap1 nslcd: [8b4567] DEBUG: ldap_result(): end of results nslcd: [7b23c6] DEBUG: connection from pid=22121 uid=0 gid=0 nslcd: [7b23c6] DEBUG: nslcd_passwd_byuid(2061) [...] If more info is needed, I'm happy to assist: we need to use TLS (LAN network can not be trusted). ciao, tiziano -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldapd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0 1.5.26 Debian configuration management sy ii libc6 2.9-7 GNU C Library: Shared libraries ii libgssapi-krb5-2 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k ii libldap-2.4-2 2.4.15-1.1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra Versions of packages libnss-ldapd recommends: ii libpam-ldap 184-8 Pluggable Authentication Module fo pn nscd <none> (no description available) libnss-ldapd suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
