Bug#643948: Doesn't occur when LDAP is unencrypted

Trent W. Buck trentbuck at gmail.com
Thu May 15 01:06:00 UTC 2014


Arthur,

This datapoint is probably intuitive, but I'll point it out anyway.

I've been running 0.9.2-1wheezy1 (my own backport) on top of wheezy
for a while, and never saw this issue.

In the last couple of weeks, I switched from unencrypted ldap://ldap
to encrypted ldaps://ldap, and now I'm seeing it on around 10% to 20%
of boots (with a sample set of about ten boots).

I haven't tried with STARTTLS.

So anyway: this issue appears to only arise if TLS is used.

nslcd.conf diff:

     uid nslcd
     gid nslcd
    -uri ldap://ldap/
    +uri ldaps://ldap/
    +tls_cacertfile /etc/ssl/certs/com.prisonpc.pem
     base o=PrisonPC
     pam_authz_search (&(objectClass=posixGroup)(cn=prisoners)(memberUid=$username))

FTR, workarounds I'm considering are:

  - stunnel4 on the clients, then plaintext ldap over that.
    (I'm already doing this for
    http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
    due to problems with chromium.)

  - build openldap against openssl instead of gnutls.
    I used to do this to get sudo-ldap to work with PADL libpam-ldap,
    where gnutls+ldaps+setuid was broken.

Obviously neither are appropriate fixes for Debian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140515/aad3e2be/attachment.sig>


More information about the Pkg-gnutls-maint mailing list