Bug#643948: Doesn't occur when LDAP is unencrypted
Trent W. Buck
trentbuck at gmail.com
Thu May 15 01:06:00 UTC 2014
Arthur,
This datapoint is probably intuitive, but I'll point it out anyway.
I've been running 0.9.2-1wheezy1 (my own backport) on top of wheezy
for a while, and never saw this issue.
In the last couple of weeks, I switched from unencrypted ldap://ldap
to encrypted ldaps://ldap, and now I'm seeing it on around 10% to 20%
of boots (with a sample set of about ten boots).
I haven't tried with STARTTLS.
So anyway: this issue appears to only arise if TLS is used.
nslcd.conf diff:
uid nslcd
gid nslcd
-uri ldap://ldap/
+uri ldaps://ldap/
+tls_cacertfile /etc/ssl/certs/com.prisonpc.pem
base o=PrisonPC
pam_authz_search (&(objectClass=posixGroup)(cn=prisoners)(memberUid=$username))
FTR, workarounds I'm considering are:
- stunnel4 on the clients, then plaintext ldap over that.
(I'm already doing this for
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
due to problems with chromium.)
- build openldap against openssl instead of gnutls.
I used to do this to get sudo-ldap to work with PADL libpam-ldap,
where gnutls+ldaps+setuid was broken.
Obviously neither are appropriate fixes for Debian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140515/aad3e2be/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list