[Pkg-openldap-devel] Bug#568522: client certificates fail with GNUTLS slapd

Peter Marschall peter at adpm.de
Tue Apr 27 10:16:48 UTC 2010


Package: slapd
Severity: normal

Hi,

although I am not the original submitter, I tried to reprodce the bug with
OpenLDAP 2.4.21 in unstable.
Result of my tests: I cannot reproduce th bug in this version.

Here are a few details on my LDAP/TLS config:

/home/client# ls -l /etc/ldap/ldap.conf ~/.ldaprc
-rw-r--r-- 1 openldap root   321 27. Apr 11:44 /etc/ldap/ldap.conf
-rw-r----- 1 client   client 205 27. Apr 11:43 /home/marschap/.ldaprc

/home/client# cat /etc/ldap/ldap.conf
# /etc/openldap/ldap.conf -- OpenLDAP client defaults configuration file
# See ldap.conf(5) for details on configuration options.
# This file should be world readable but not world writable.
## server options ##
HOST            127.0.0.1
PORT            389
BASE            c=DE
## TLS options ##
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

/home/client# cat ~client/.ldaprc
# ~/.ldaprc -- private libldap config file
# See ldap.conf(5) for details
TLS_CERT        /home/client/.ssl/certs/client-cert.pem
TLS_KEY         /home/client/.ssl/private/client-keyopen.pem
TLS_REQCERT     demand

/home/client# ls -l /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/server-cert.pem /etc/ssl/private/server-key.pem
-rw-r--r-- 1 root root     221942  7. Apr 15:21 /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root ssl-cert   2155  7. Apr 12:07 /etc/ssl/certs/server-cert.pem
-rw-r----- 1 root ssl-cert   3243  8. Apr 2008  /etc/ssl/private/server-key.pem

/home/client# grep TLS /etc/ldap/slapd.conf
TLSCACertificateFile    /etc/ssl/certs/cacert.pem
TLSCertificateFile      /etc/ssl/certs/server-cert.pem
TLSCertificateKeyFile   /etc/ssl/private/server-key.pem
TLSCipherSuite          NORMAL:!AES-128-CBC
TLSVerifyClient         try

Further information:
* slapd runs as user openldap which is in group ssl-cert
* the CA certificate in /etc/ssl/certs/cacert.pem is contained
  in /etc/ssl/certs/ca-certificates.crt

Best regards
Peter

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                   3.112          add and remove users and groups
ii  coreutils                 7.4-2          The GNU core utilities
ii  debconf [debconf-2.0]     1.5.32         Debian configuration management sy
ii  libc6                     2.10.2-6       Embedded GNU C Library: Shared lib
ii  libdb4.7                  4.7.25-9       Berkeley v4.7 Database Libraries [
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libldap-2.4-2             2.4.21-1       OpenLDAP libraries
ii  libltdl7                  2.2.6b-2       A system independent dlopen wrappe
ii  libperl5.10               5.10.1-12      shared Perl library
ii  libsasl2-2                2.1.23.dfsg1-5 Cyrus SASL - authentication abstra
ii  libslp1                   1.2.1-7.7      OpenSLP libraries
ii  libwrap0                  7.6.q-18       Wietse Venema's TCP wrappers libra
ii  lsb-base                  3.2-23         Linux Standard Base 3.2 init scrip
ii  perl [libmime-base64-perl 5.10.1-12      Larry Wall's Practical Extraction 
ii  psmisc                    22.11-1        utilities that use the proc file s
ii  unixodbc                  2.2.11-21      ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules          2.1.23.dfsg1-5 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                   2.4.21-1pm1 OpenLDAP utilities

-- debconf information:
  slapd/tlsciphersuite:
  shared/organization: adpm.de
  slapd/upgrade_slapcat_failure:
  slapd/backend: HDB
  slapd/allow_ldap_v2: false
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/suffix_change: false
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/domain: adpm.de
  slapd/password_mismatch:
  slapd/invalid_config: true
  slapd/slurpd_obsolete:
  slapd/dump_database: when needed
  slapd/migrate_ldbm_to_bdb: false
  slapd/purge_database: false





More information about the Pkg-openldap-devel mailing list