Bug#411042: Info received (Bug#411042: [Pkg-samba-maint] Bug#411042: samba -dosen't connect to OpenLDAP)

Steve Langasek vorlon at debian.org
Tue Mar 6 03:29:14 CET 2007 

On Mon, Mar 05, 2007 at 01:57:49PM +0100, Mgr. Peter Tuharsky wrote:

> >What is the cn in the SSL certificate being used by the LDAP server?  It
> >seems odd that this would work at all with start tls, unless your SSL
> >certificate was set up oddly.

> This is the beginning of the /etc/ldap/slapd-cert-ldap1.pem

> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 2 (0x2)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto, 
> OU=Referat informatiky, CN=ldap2.misbb.sk/emailAddress=hlavaty at misbb.sk
>         Validity
>             Not Before: May  2 14:13:55 2004 GMT
>             Not After : May  2 14:13:55 2005 GMT
>         Subject: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto, 
> OU=Referat informatiky, CN=ldap1.misbb.sk/emailAddress=hlavaty at misbb.sk
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):

> It seems, that certificate is expired already.

Right, that's at least one problem in the setup.

> However, there are some questionable circumstances:
> 1, it has been working alright before, few weeks ago, on Sarge

That suggests a bug in the checking that was done in sarge.

> 2, it works even now for samba if localhost is specified (as mentioned 
> before).

That means the information in the certificate is being completely bypassed;
whether that means the TLS negotiation has been aborted and the connection
falls back to plaintext, or the TLS connection has been negotiated in the
absence of a trust path, it's a bad sign.

> 3, linux clients with LDAP authentication don't comply
> 4, AFAIK, samba on client dosen't comply (need to prove)
> 5, eGroupWare webserver with LDAP user authentication dosen't comply

Comply with what?

> 6, if the date of certificate was the right problem here, one would 
> assume that someone would complain loudly with "certificate out of date" 
> and end up regulary

Well, one would hope so, but it depends on how well the client security has
been configured.

> >Hrm, odd.  Are there any previous errors, possibly at a higher debug
> >level?  If this is on the LDAP socket, it suggests some pretty big
> >brokenness.

> Please, suggest the right debug level that I should use.

Level 5 should be verbose enough for anything we'd need, so if you're
concerned about only having one opportunity to test, please use that.
Otherwise, you could start at 1 and work you way up until we find what we
need.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

More information about the Pkg-samba-maint mailing list