[Pkg-openldap-devel] Bug#807922: slapd: Unable to use olcTLSVerifyClient

dean dblack at dblacksystems.net
Sun Jul 31 00:34:59 UTC 2016


>> At the moment, I think this behaviour is intentional and by design.
>>
>>> First, I would note that this only happens when you haven't performed
>>> the minimal TLS configuration yet:

It's not by design.  If it is, someone needs the Kay Sievers treatment.

1) As I told you a few weeks ago, OpenLDAP build is broke.
2) GnuTLS sucks the royal spoon.
3) "Upstream" stops at Debian.
4) There are even broken password settings (in another bug report, called "a minor bug"  )...

LAST BUT NOT LEAST, COMPOUNDING THE PROBLEMS -- there are even mismatches between various packages:
1)  NSSWITCH.
2)  PAM
3)  OpenLDAP.

libnss_ldap.secret
ldap.secret
pam_ldap.secret.

NUTS.

That's why I build my own OpenLDAP... and I have flawless programs and scripts to do it.  However, every version of Debian seems to break my code.

Sievers Situation.

I build my own, now.  But, Now I've even got to redo LIBNSS AND PAM, TOO!!!  Before long, I'll have my own distro????

Ridiculous.  As I also said before, testing is imperative.  I'll withhold my "Torvald's response."



On Mon, 14 Dec 2015 15:05:22 +0100 Obspm <albert.shih at obspm.fr> wrote:
 > Package: slapd
 > Version: 2.4.40+dfsg-1+deb8u1
 > Severity: important
 >
 >
 > Hi everyone.
 >
 > >From a fresh install (the server is a virtual machine with 
VirtualBox), after basic configuration of slapd, without any 
configuration other than those make by apt-get, with no special data I 
can add this piece of ldif
 >
 > dn: cn=config
 > changeType: modify
 > add: olcTLSVerifyClient
 > olcTLSVerifyClient: never
 > -
 >
 > I always got a
 >
 > root at debian:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f toto.ldif
 > SASL/EXTERNAL authentication started
 > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 > SASL SSF: 0
 > modifying entry "cn=config"
 > ldap_modify: Server is unwilling to perform (53)
 >
 > and the debug file containt (with LogLevel:1)
 >
 > Dec 14 15:04:12 debian slapd[3597]: slap_listener_activate(11):
 > Dec 14 15:04:12 debian slapd[3597]: >>> slap_listener(ldapi:///)
 > Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
 > Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for 
input on id=1031
 > Dec 14 15:04:12 debian slapd[3597]: op tag 0x60, time 1450101852
 > Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=0 do_bind
 > Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <>
 > Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
 > Dec 14 15:04:12 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
 > Dec 14 15:04:12 debian slapd[3597]: ==>slap_sasl2dn: converting SASL 
name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
 > Dec 14 15:04:12 debian slapd[3597]: <==slap_sasl2dn: Converted SASL 
name to <nothing>
 > Dec 14 15:04:12 debian slapd[3597]: SASL Authorize [conn=1031]: proxy 
authorization allowed authzDN=""
 > Dec 14 15:04:12 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
 > Dec 14 15:04:12 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: 
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
 > Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=1 
tag=97 err=0
 > Dec 14 15:04:12 debian slapd[3597]: <== slap_sasl_bind: rc=0
 > Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
 > Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for 
input on id=1031
 > Dec 14 15:04:12 debian slapd[3597]: op tag 0x66, time 1450101852
 > Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=1 do_modify
 > Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
 > Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, 
<cn=config>
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_required entry 
(cn=config), objectClass "olcGlobal"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "objectClass"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "cn"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcArgsFile"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcPidFile"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type 
"olcToolThreads"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type 
"structuralObjectClass"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryUUID"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "creatorsName"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type 
"createTimestamp"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type 
"olcConnMaxPending"
 > Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcLogLevel"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20160730/46340c96/attachment.html>


More information about the Pkg-openldap-devel mailing list