Bug#529985: libnss-ldapd: libnss-ldapd > 0.6.7.1 fails with same conf file libnss-ldapd 0.6.7.1 works

[Rodrigo Campos]

On Mon, Jun 01, 2009 at 02:54:13PM +0200, Arthur de Jong wrote:
> On Sun, 2009-05-24 at 14:22 -0300, Rodrigo Campos wrote:
> > What is weird is that I have all options commented in /etc/ldap.conf
> > and I have no ~/.ldaprc.
> 
> On Sun, 2009-05-24 at 14:34 -0300, Rodrigo Campos wrote:
> > I meant /etc/ldap/ldap.conf (I dont have a /etc/ldap.conf file)
> >
> > And now that I check, I do have "tls_checkpeer no"
> > in /etc/pam_ldap.conf, perhaps that file was parsed too ?
> 
> This file shouldn't be parsed as far as I know. You can try to start the
> old nslcd with:
>   strace -f -o /tmp/strace.log nslcd -d
> and have a look in the logfile to see which files are opened.

The files that opened are:
        /etc/nss-ldapd.conf
        /etc/nsswitch.conf
        /etc/passwd
        /etc/group
        /var/run/nslcd/nslcd.pid
        /etc/resolv.conf
        /etc/host.conf
        /etc/hosts
        /etc/ldap/ldap.conf
        /root/ldaprc
        /root/.ldaprc
        ldaprc
        
So /etc/pam_ldap.conf is not checked. And /root/ldaprc, /root/.ldaprc, ldaprc
does not exist, /etc/ldap/ldap.conf is all commented, and in /etc/nss-ldapd.conf
is not turned on. The others does not have anything either...

Looking in the man of nss-ldapd.conf 0.6.7.1, it says:

tls_checkpeer
        Specifies whether to require and verify the server certificate or
        not,  when  using  SSL/TLS  with  the  OpenLDAP  client library.  The
        default is to use the default behaviour of the client library; for
        OpenLDAP 2.0 and earlier it is "no", for OpenLDAP 2.1 and later it is
        "yes". At least one of tls_cacertdir and tls_cacertfile is required if
        peer verification  is enabled.


In the man of nss-ldapd.conf 0.6.10 says:

tls_reqcert
        Specifies  what  checks  to  perform  on  a  server-supplied
        certificate.  The meaning of the values is described in the ldap.conf(5)
        manual page.  At least one of tls_cacertdir and tls_cacertfile is
        required if peer verification is enabled.

and it the man of ldapd.conf it does not say anything about the default. So if
I'm not wrong the default have changed ?

Anyways, I think I'm using OpenLDAP 2.1 or later of the client library. I have
installed libldap2 2.1.30-13.4 and libldap-2.4-2 2.4.11-1 (if I'm not is
probably that ?). So the default of "yes" without specifing tls_cacertfile or
tls_cacertdir is not possible with 0.6.7.1 (because I wasn't specifing it) and
perhaps that makes tls_checkpeer default to "no" in 0.6.7.1 ?




Sorry for the delay again, I've been sick :S




Thanks a lot,
Rodrigo



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org