Bug#643948: Doesn't occur when LDAP is unencrypted
Trent W. Buck
trentbuck at gmail.com
Thu May 15 01:06:00 UTC 2014
This datapoint is probably intuitive, but I'll point it out anyway.
I've been running 0.9.2-1wheezy1 (my own backport) on top of wheezy
for a while, and never saw this issue.
In the last couple of weeks, I switched from unencrypted ldap://ldap
to encrypted ldaps://ldap, and now I'm seeing it on around 10% to 20%
of boots (with a sample set of about ten boots).
I haven't tried with STARTTLS.
So anyway: this issue appears to only arise if TLS is used.
FTR, workarounds I'm considering are:
- stunnel4 on the clients, then plaintext ldap over that.
(I'm already doing this for
due to problems with chromium.)
- build openldap against openssl instead of gnutls.
I used to do this to get sudo-ldap to work with PADL libpam-ldap,
where gnutls+ldaps+setuid was broken.
Obviously neither are appropriate fixes for Debian.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: Digital signature
More information about the Pkg-gnutls-maint