Bug#643948: Doesn't occur when LDAP is unencrypted

Arthur de Jong adejong at debian.org
Fri May 16 17:23:51 UTC 2014

On Thu, 2014-05-15 at 11:06 +1000, Trent W. Buck wrote:
> In the last couple of weeks, I switched from unencrypted ldap://ldap
> to encrypted ldaps://ldap, and now I'm seeing it on around 10% to 20%
> of boots (with a sample set of about ten boots).

If you can reasonably reliably reproduce this, can you add the following
to /etc/init.d/nslcd (around line 120, right before
# start nslcd).

(date ; gdb -return-child-result -ex run -ex "thread apply all bt full"
-ex "quit" --args ldapsearch -x -H ldaps://ldap/ -b YOURBASEDN'
uid=YOURUID mail ) < /dev/null >> /var/log/nslcd.ldapsearch.boot.log
2>&1 &

(replace YOURBASEDN and YOURUID with appropriate values)

I'm wondering if this can help pinpoint the issue. If ldapsearch also
bums out it shouldn't be a threading issue (and at least prove that it
isn't something that nslcd is doing wrong).

I've recently added this myself but haven't caught a crash yet.

> FTR, workarounds I'm considering are:
>   - stunnel4 on the clients, then plaintext ldap over that.
>     (I'm already doing this for
>     http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
>     due to problems with chromium.)
>   - build openldap against openssl instead of gnutls.
>     I used to do this to get sudo-ldap to work with PADL libpam-ldap,
>     where gnutls+ldaps+setuid was broken.
> Obviously neither are appropriate fixes for Debian.

Thanks for the ideas and thanks for updating the bug report.

-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140516/b73ed3b7/attachment.sig>

More information about the Pkg-gnutls-maint mailing list