[Pkg-openldap-devel] Bug#861838: ldap-utils: ldapsearch and ldapwhoami cannot connect to ldaps server
Ryan Tandy
ryan at nardis.ca
Sat May 6 03:41:11 UTC 2017
Control: tag -1 = confirmed
Control: found -1 2.4.44+dfsg-4
Control: retitle -1 long list of acceptable CA names breaks libldap
OK, I have reproduced this. On Debian:
apt-get install ldap-utils slapd ssl-cert
adduser openldap ssl-cert
sed -i 's,^SLAPD_SERVICES=.*,SLAPD_SERVICES="ldap:// ldapi:// ldaps://",' /etc/default/slapd
service slapd restart
ldapmodify -H ldapi:// -Y EXTERNAL << EOF
dn: cn=config
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
EOF
# prints a long list of acceptable CA names
openssl s_client -CAfile /etc/ssl/certs/ssl-cert-snakeoil.pem -connect localhost:636 -showcerts
# should succeed, but fails
LDAPTLS_CACERT=/etc/ssl/certs/ssl-cert-snakeoil.pem ldapwhoami -ZZ -x
I should note that I rebuilt libldap and clients against OpenSSL and the
same works. However, gnutls-cli also works for me, so this problem
appears to be specific to libldap's GnuTLS support.
More information about the Pkg-openldap-devel
mailing list