[Pkg-openldap-devel] Bug#568522: Valid client certificates fail with GNUTLS slapd

Timothy Allen allen at maths.ox.ac.uk
Fri Feb 5 13:13:18 UTC 2010

Package: slapd
Version: 2.4.11-1+lenny1
Severity: important

I am in the process of replacing expiring client certificates for use with 
SASL/EXTERNAL. Unfortunately every certificate I have generated (including
commerical certificates) has failed when connecting to the slapd server,
 with the following error:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

(The server gives an "unable to get TLS client DN" error.)

When building OpenLDAP linked against OpenSSL, the problem disappears.

There is also no problem when using the certificates to make a connection 
between gnutls-cli and gnutls-serv. The certificates also work when used
as server certificates in GNUTLS-linked slapd. The only time the certificates
do not work is as client certificates connecting to a GNUTLS-linked slapd

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages slapd depends on:
ii  adduser           3.110                  add and remove users and groups
ii  coreutils         6.10-6                 The GNU core utilities
ii  debconf [debconf- 1.5.24                 Debian configuration management sy
ii  libc6             2.7-18lenny2           GNU C Library: Shared libraries
ii  libdb4.2          4.2.52+dfsg-5          Berkeley v4.2 Database Libraries [
ii  libgnutls26       2.4.2-6+lenny2         the GNU TLS library - runtime libr
ii  libldap-2.4-2     2.4.11-1+lenny1        OpenLDAP libraries
ii  libltdl3          1.5.26-4+lenny1        A system independent dlopen wrappe
ii  libperl5.10       5.10.0-19lenny2        Shared Perl library
ii  libsasl2-2        2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii  libslp1           1.2.1-7.5              OpenSLP libraries
ii  libwrap0          7.6.q-16               Wietse Venema's TCP wrappers libra
ii  perl [libmime-bas 5.10.0-19lenny2        Larry Wall's Practical Extraction 
ii  psmisc            22.6-1                 Utilities that use the proc filesy
ii  unixodbc          2.2.11-16              ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils               2.4.11-1+lenny1 OpenLDAP utilities

-- debconf information:
  slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
  slapd/password1: (password omitted)
  slapd/allow_ldap_v2: false
  slapd/suffix_change: false
  slapd/invalid_config: true
  shared/organization: maths.ox.ac.uk
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: maths.ox.ac.uk
  slapd/backend: HDB
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database: when needed

More information about the Pkg-openldap-devel mailing list