[Pkg-openldap-devel] Bug#568522: client certificates fail with GNUTLS slapd
Peter Marschall
peter at adpm.de
Tue Apr 27 10:16:48 UTC 2010
Package: slapd
Severity: normal
Hi,
although I am not the original submitter, I tried to reprodce the bug with
OpenLDAP 2.4.21 in unstable.
Result of my tests: I cannot reproduce th bug in this version.
Here are a few details on my LDAP/TLS config:
/home/client# ls -l /etc/ldap/ldap.conf ~/.ldaprc
-rw-r--r-- 1 openldap root 321 27. Apr 11:44 /etc/ldap/ldap.conf
-rw-r----- 1 client client 205 27. Apr 11:43 /home/marschap/.ldaprc
/home/client# cat /etc/ldap/ldap.conf
# /etc/openldap/ldap.conf -- OpenLDAP client defaults configuration file
# See ldap.conf(5) for details on configuration options.
# This file should be world readable but not world writable.
## server options ##
HOST 127.0.0.1
PORT 389
BASE c=DE
## TLS options ##
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
/home/client# cat ~client/.ldaprc
# ~/.ldaprc -- private libldap config file
# See ldap.conf(5) for details
TLS_CERT /home/client/.ssl/certs/client-cert.pem
TLS_KEY /home/client/.ssl/private/client-keyopen.pem
TLS_REQCERT demand
/home/client# ls -l /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/server-cert.pem /etc/ssl/private/server-key.pem
-rw-r--r-- 1 root root 221942 7. Apr 15:21 /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root ssl-cert 2155 7. Apr 12:07 /etc/ssl/certs/server-cert.pem
-rw-r----- 1 root ssl-cert 3243 8. Apr 2008 /etc/ssl/private/server-key.pem
/home/client# grep TLS /etc/ldap/slapd.conf
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/server-cert.pem
TLSCertificateKeyFile /etc/ssl/private/server-key.pem
TLSCipherSuite NORMAL:!AES-128-CBC
TLSVerifyClient try
Further information:
* slapd runs as user openldap which is in group ssl-cert
* the CA certificate in /etc/ssl/certs/cacert.pem is contained
in /etc/ssl/certs/ca-certificates.crt
Best regards
Peter
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.112 add and remove users and groups
ii coreutils 7.4-2 The GNU core utilities
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libdb4.7 4.7.25-9 Berkeley v4.7 Database Libraries [
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.21-1 OpenLDAP libraries
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libperl5.10 5.10.1-12 shared Perl library
ii libsasl2-2 2.1.23.dfsg1-5 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.7 OpenSLP libraries
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
ii perl [libmime-base64-perl 5.10.1-12 Larry Wall's Practical Extraction
ii psmisc 22.11-1 utilities that use the proc file s
ii unixodbc 2.2.11-21 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.23.dfsg1-5 Cyrus SASL - pluggable authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.21-1pm1 OpenLDAP utilities
-- debconf information:
slapd/tlsciphersuite:
shared/organization: adpm.de
slapd/upgrade_slapcat_failure:
slapd/backend: HDB
slapd/allow_ldap_v2: false
slapd/no_configuration: false
slapd/move_old_database: true
slapd/suffix_change: false
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/domain: adpm.de
slapd/password_mismatch:
slapd/invalid_config: true
slapd/slurpd_obsolete:
slapd/dump_database: when needed
slapd/migrate_ldbm_to_bdb: false
slapd/purge_database: false
More information about the Pkg-openldap-devel
mailing list