Bug#411042: Info received (Bug#411042: [Pkg-samba-maint] Bug#411042:
samba -dosen't connect to OpenLDAP)
vorlon at debian.org
Tue Mar 6 03:29:14 CET 2007
On Mon, Mar 05, 2007 at 01:57:49PM +0100, Mgr. Peter Tuharsky wrote:
> >What is the cn in the SSL certificate being used by the LDAP server? It
> >seems odd that this would work at all with start tls, unless your SSL
> >certificate was set up oddly.
> This is the beginning of the /etc/ldap/slapd-cert-ldap1.pem
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto,
> OU=Referat informatiky, CN=ldap2.misbb.sk/emailAddress=hlavaty at misbb.sk
> Not Before: May 2 14:13:55 2004 GMT
> Not After : May 2 14:13:55 2005 GMT
> Subject: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto,
> OU=Referat informatiky, CN=ldap1.misbb.sk/emailAddress=hlavaty at misbb.sk
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> It seems, that certificate is expired already.
Right, that's at least one problem in the setup.
> However, there are some questionable circumstances:
> 1, it has been working alright before, few weeks ago, on Sarge
That suggests a bug in the checking that was done in sarge.
> 2, it works even now for samba if localhost is specified (as mentioned
That means the information in the certificate is being completely bypassed;
whether that means the TLS negotiation has been aborted and the connection
falls back to plaintext, or the TLS connection has been negotiated in the
absence of a trust path, it's a bad sign.
> 3, linux clients with LDAP authentication don't comply
> 4, AFAIK, samba on client dosen't comply (need to prove)
> 5, eGroupWare webserver with LDAP user authentication dosen't comply
Comply with what?
> 6, if the date of certificate was the right problem here, one would
> assume that someone would complain loudly with "certificate out of date"
> and end up regulary
Well, one would hope so, but it depends on how well the client security has
> >Hrm, odd. Are there any previous errors, possibly at a higher debug
> >level? If this is on the LDAP socket, it suggests some pretty big
> Please, suggest the right debug level that I should use.
Level 5 should be verbose enough for anything we'd need, so if you're
concerned about only having one opportunity to test, please use that.
Otherwise, you could start at 1 and work you way up until we find what we
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the Pkg-samba-maint