Debian Bug report logs - #425379
libnss-ldap: uses wrong port for ldaps:// URLs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libnss-ldap: Can't connect to ldap server anymore

Date: Mon, 21 May 2007 12:34:35 +0200

Package: libnss-ldap
Version: 255-1
Severity: important


Hi,

  When upgrading from 251-7.5 libnss-ldap starts failing. Debug shows the
  following:

ldap_connect_to_host: Trying 2001:610:1118:0:204:75ff:fe95:b60 389
ldap_connect_timeout: fd: 4 tm: 30 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=challenger.ipv6.spacelabs.nl
tls_write: want=73, written=73
  0000:  16 03 01 00 44 01 00 00  40 03 01 46 51 6f ed 4f   ....D...@..FQoíO  
  0010:  9c 6d 09 09 8e a8 5f 00  b6 a8 e2 26 c4 80 18 18   .m...¨_.¶¨â&Ä...  
  0020:  80 a3 8e 24 0e 39 27 9b  6d 78 ad 00 00 18 00 33   .£.$.9'.mx­....3  
  0030:  00 16 00 39 00 2f 00 0a  00 35 00 05 00 04 00 32   ...9./...5.....2  
  0040:  00 13 00 38 00 66 02 01  00                        ...8.f...         
tls_read: want=5, got=0

TLS: can't connect.
ldap_err2string
ldap_err2string

  Our ldap server is using a self-signed certificate and ``TLS_REQCERT never'' 
  is specified in /etc/ldap/ldap.conf..

  Yes i know, this is not the most secure setup and we should fix it sometime..
  But it should still work :)

    Sjoerd

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.20-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=nl_NL (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]       1.5.13       Debian configuration management sy
ii  libc6                       2.5-8        GNU C Library: Shared libraries
ii  libkrb53                    1.6.dfsg.1-4 MIT Kerberos runtime libraries
ii  libldap2                    2.1.30-13.4  OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   184-1      Pluggable Authentication Module al
ii  nscd                          2.5-8      GNU C Library: Name Service Cache 

-- debconf information:
* libnss-ldap/dblogin: false
* libnss-ldap/override: false
* shared/ldapns/base-dn: ou=Users,dc=spacelabs,dc=nl
* shared/ldapns/ldap-server: 127.0.0.1
* libnss-ldap/confperm: false
* libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net
* shared/ldapns/ldap_version: 3
  libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libnss-ldap/nsswitch:
* libnss-ldap/dbrootlogin: true

Message #10 received at 425379@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson <cowboy@debian.org>

To: Sjoerd Simons <sjoerd@debian.org>, 425379@bugs.debian.org

Subject: Re: Bug#425379: libnss-ldap: Can't connect to ldap server anymore

Date: Mon, 21 May 2007 08:32:53 -0700 (PDT)

On Mon, 21 May 2007, Sjoerd Simons wrote:

> Package: libnss-ldap
> Version: 255-1
> Severity: important
>
>
> Hi,

Hello, and you win the prize of filing the 1st bug routed to the new
maintainer - your prize is still being determined :)

>  When upgrading from 251-7.5 libnss-ldap starts failing. Debug shows the
>  following:
>
> TLS: can't connect.
> ldap_err2string
> ldap_err2string

You should try -vd9999 - with higher debugging, you can see the notice
that your certificate was likely rejected due to being self-signed.

>  Our ldap server is using a self-signed certificate and ``TLS_REQCERT never''
>  is specified in /etc/ldap/ldap.conf..

Please try the following settings instead:
TLS_CACERTDIR /etc/ssl/certs
TLS_CRLCHECK none
# Allow self-signed certificates
TLS_REQCERT allow

Now, there's a caveat here, that the ca-certificates package can leave
dangling symlinks in /etc/ssl/certs... and those will also cause
certificate failure :(

So, you may need to run `update-ca-certificates -f` to force the cleanup
(or a q&d script to just remove them).

>  Yes i know, this is not the most secure setup and we should fix it sometime..
>  But it should still work :)

Yeah,  I'm in the same boat :)

-- 
Rick Nelson
Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
		-- Topic on #Linux

Message #15 received at 425379@bugs.debian.org (full text, mbox, reply):

From: sjoerd@spring.luon.net (Sjoerd Simons)

To: Richard A Nelson <cowboy@debian.org>

Cc: Sjoerd Simons <sjoerd@debian.org>, 425379@bugs.debian.org

Subject: Re: Bug#425379: libnss-ldap: Can't connect to ldap server anymore

Date: Mon, 21 May 2007 19:54:16 +0200

On Mon, May 21, 2007 at 08:32:53AM -0700, Richard A Nelson wrote:
> On Mon, 21 May 2007, Sjoerd Simons wrote:
> Hello, and you win the prize of filing the 1st bug routed to the new
> maintainer - your prize is still being determined :)

:)

> > When upgrading from 251-7.5 libnss-ldap starts failing. Debug shows the
> > following:
> >
> >TLS: can't connect.
> >ldap_err2string
> >ldap_err2string
> 
> You should try -vd9999 - with higher debugging, you can see the notice
> that your certificate was likely rejected due to being self-signed.

I've put debug 9999 in /etc/libnss-ldap.conf but that doesn't reveal more
information..

> > Our ldap server is using a self-signed certificate and ``TLS_REQCERT 
> > never''
> > is specified in /etc/ldap/ldap.conf..
> 
> Please try the following settings instead:
> TLS_CACERTDIR /etc/ssl/certs
> TLS_CRLCHECK none
> # Allow self-signed certificates
> TLS_REQCERT allow

Using allow instead of never makes it fail because the CN doesn't match or at
least it makes ldapsearch fail.. For nss it doesn't make a difference (as in ,
it still fails).. We're using ldap.spacelabs.nl which refers to two ldap
servers, but both have their own certificates with their respective hostnames
as CN (oh, wonderfull SSL world)

> Now, there's a caveat here, that the ca-certificates package can leave
> dangling symlinks in /etc/ssl/certs... and those will also cause
> certificate failure :(
> 
> So, you may need to run `update-ca-certificates -f` to force the cleanup
> (or a q&d script to just remove them).

Also didn't help..

> > Yes i know, this is not the most secure setup and we should fix it 
> > sometime..
> > But it should still work :)
> 
> Yeah,  I'm in the same boat :)

:)


  Sjoerd
-- 
My religion consists of a humble admiration of the illimitable superior
spirit who reveals himself in the slight details we are able to perceive
with our frail and feeble mind.
		-- Albert Einstein

Message #20 received at 425379@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson <cowboy@debian.org>

To: Sjoerd Simons <sjoerd@spring.luon.net>, 425379@bugs.debian.org

Cc: Sjoerd Simons <sjoerd@debian.org>

Subject: Re: Bug#425379: libnss-ldap: Can't connect to ldap server anymore

Date: Mon, 21 May 2007 12:37:29 -0700 (PDT)

On Mon, 21 May 2007, Sjoerd Simons wrote:

>> You should try -vd9999 - with higher debugging, you can see the notice
>> that your certificate was likely rejected due to being self-signed.
>
> I've put debug 9999 in /etc/libnss-ldap.conf but that doesn't reveal more
> information..

Then I wonder if you are really connecting at all !  You should see data
like:
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=RSA
Data Security
, Inc./OU=Secure Server Certification Authority, issuer: /C=US/O=RSA
Data Security
, Inc./OU=Secure Server Certification Authority
...
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
...
TLS trace: SSL_connect:SSLv3 flush data

> Using allow instead of never makes it fail because the CN doesn't match or at
> least it makes ldapsearch fail.. For nss it doesn't make a difference (as in ,
> it still fails).. We're using ldap.spacelabs.nl which refers to two ldap
> servers, but both have their own certificates with their respective hostnames
> as CN (oh, wonderfull SSL world)

You can do a wildcard certificate (something I need to do for my setup,
but haven't yet).

> Also didn't help..

Again, I wonder if you are actually making a connection

What are the host/uri lines in /etc/ldap/ldap.conf ?

-- 
Rick Nelson
"I don't know why, but first C programs tend to look a lot worse than
first programs in any other language (maybe except for fortran, but then
I suspect all fortran programs look like `firsts')"
(By Olaf Kirch)

Message #25 received at 425379@bugs.debian.org (full text, mbox, reply):

From: sjoerd@spring.luon.net (Sjoerd Simons)

To: 425379@bugs.debian.org

Cc: Sjoerd Simons <sjoerd@debian.org>, Richard A Nelson <cowboy@debian.org>

Subject: Re: libnss-ldap: Can't connect to ldap server anymore

Date: Thu, 31 May 2007 21:09:30 +0200

On Mon, May 21, 2007 at 12:34:35PM +0200, Sjoerd Simons wrote:
> ldap_connect_to_host: Trying 2001:610:1118:0:204:75ff:fe95:b60 389
> ldap_connect_timeout: fd: 4 tm: 30 async: 0
> ldap_ndelay_on: 4
> ldap_is_sock_ready: 4
> ldap_ndelay_off: 4
> ldap_int_sasl_open: host=challenger.ipv6.spacelabs.nl
> tls_write: want=73, written=73
>   0000:  16 03 01 00 44 01 00 00  40 03 01 46 51 6f ed 4f   ....D...@..FQoíO  
>   0010:  9c 6d 09 09 8e a8 5f 00  b6 a8 e2 26 c4 80 18 18   .m...?_.¶?â&Ä...  
>   0020:  80 a3 8e 24 0e 39 27 9b  6d 78 ad 00 00 18 00 33   .£.$.9'.mx­....3  
>   0030:  00 16 00 39 00 2f 00 0a  00 35 00 05 00 04 00 32   ...9./...5.....2  
>   0040:  00 13 00 38 00 66 02 01  00                        ...8.f...         
> tls_read: want=5, got=0
> 
> TLS: can't connect.
> ldap_err2string
> ldap_err2string

Finally found it! (Sorry for the late reply btw).. The problem isn't SSL, it's
connecting to the wrong port!  Instead of to the ldaps port (636), it's
connecting to the plain ldap port (389)..

I actually discovered this by looking at the diffs between the two versions.

The offeding changes is:
  -      p = strchr (p, ':');
  +      p = strchr (++p, ':');

Which actually fixes the bug that it thought an ldap uri always had a port
specified.

But now it detect that a uri doesn't have and as the non-ldaps port is default,
it assumes that the user specified a non-default port (which isn't the case)..
It adds a port to the uri given to libldap in the code just below... Woops

  Sjoerd
-- 
That that is is that that is not is not.

Message #30 received at 425379@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@spring.luon.net>

To: 425379@bugs.debian.org, control@bugs.debian.org

Cc: Sjoerd Simons <sjoerd@debian.org>, Richard A Nelson <cowboy@debian.org>

Subject: Re: Bug#425379: libnss-ldap: Can't connect to ldap server anymore

Date: Mon, 9 Jul 2007 12:05:52 +0200

severity 425379 important
thanks

On Thu, May 31, 2007 at 09:09:30PM +0200, Sjoerd Simons wrote:
> On Mon, May 21, 2007 at 12:34:35PM +0200, Sjoerd Simons wrote:
> > ldap_connect_to_host: Trying 2001:610:1118:0:204:75ff:fe95:b60 389
> > ldap_connect_timeout: fd: 4 tm: 30 async: 0
> > ldap_ndelay_on: 4
> > ldap_is_sock_ready: 4
> > ldap_ndelay_off: 4
> > ldap_int_sasl_open: host=challenger.ipv6.spacelabs.nl
> > tls_write: want=73, written=73
> >   0000:  16 03 01 00 44 01 00 00  40 03 01 46 51 6f ed 4f   ....D...@..FQoíO  
> >   0010:  9c 6d 09 09 8e a8 5f 00  b6 a8 e2 26 c4 80 18 18   .m...?_.¶?â&Ä...  
> >   0020:  80 a3 8e 24 0e 39 27 9b  6d 78 ad 00 00 18 00 33   .£.$.9'.mx­....3  
> >   0030:  00 16 00 39 00 2f 00 0a  00 35 00 05 00 04 00 32   ...9./...5.....2  
> >   0040:  00 13 00 38 00 66 02 01  00                        ...8.f...         
> > tls_read: want=5, got=0
> > 
> > TLS: can't connect.
> > ldap_err2string
> > ldap_err2string
> 
> Finally found it! (Sorry for the late reply btw).. The problem isn't SSL, it's
> connecting to the wrong port!  Instead of to the ldaps port (636), it's
> connecting to the plain ldap port (389)..
> 
> I actually discovered this by looking at the diffs between the two versions.
> 
> The offeding changes is:
>   -      p = strchr (p, ':');
>   +      p = strchr (++p, ':');
> 
> Which actually fixes the bug that it thought an ldap uri always had a port
> specified.
> 
> But now it detect that a uri doesn't have and as the non-ldaps port is default,
> it assumes that the user specified a non-default port (which isn't the case)..
> It adds a port to the uri given to libldap in the code just below... Woops


Any progress on this ? I've basically pointed out what goes wrong where, so it
should be just a matter of actually fixing it now :)

As it's still breaks my ldap setup, i've set the severity to important..

  Sjoerd
-- 
At the end of your life there'll be a good rest, and no further activities
are scheduled.

Message #37 received at 425379-close@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson (Rick) <cowboy@debian.org>

To: 425379-close@bugs.debian.org

Subject: Bug#425379: fixed in libnss-ldap 258-1

Date: Sun, 21 Oct 2007 00:32:03 +0000

Source: libnss-ldap
Source-Version: 258-1

We believe that the bug you reported is fixed in the latest version of
libnss-ldap, which is due to be installed in the Debian FTP archive:

libnss-ldap_258-1.diff.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1.diff.gz
libnss-ldap_258-1.dsc
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1.dsc
libnss-ldap_258-1_amd64.deb
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1_amd64.deb
libnss-ldap_258.orig.tar.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_258.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 425379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Richard A Nelson (Rick) <cowboy@debian.org> (supplier of updated libnss-ldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Sat, 20 Oct 2007 22:28:00 -0000
Source: libnss-ldap
Binary: libnss-ldap
Architecture: source amd64
Version: 258-1
Distribution: unstable
Urgency: low
Maintainer: Richard A Nelson (Rick) <cowboy@debian.org>
Changed-By: Richard A Nelson (Rick) <cowboy@debian.org>
Description: 
 libnss-ldap - NSS module for using LDAP as a naming service
Closes: 396672 408440 411923 425379
Changes: 
 libnss-ldap (258-1) unstable; urgency=low
 .
   * New upstream release
     - replacement code for Kerbeors SASL operations    closes: #396672
     - nss_ldap constructs LDAP URIs incorrectly        closes: #425379
   * drop patches applied upstream
     - 00ignore_sigpipe_h.patch
     - 00ignore_sigpipe_c.patch
   * Fix the config file miss-edit (host vs uri)  closes: #408440, #411923
Files: 
 37df919a94b99c02d10dda1e1722319e 801 net extra libnss-ldap_258-1.dsc
 a21ad7585566a98cc5d5bdb1c1f36ebb 273859 net extra libnss-ldap_258.orig.tar.gz
 4a285ef69c60f9c3b32d2b91ee8f944e 48088 net extra libnss-ldap_258-1.diff.gz
 f43411e911ba2c78d230cc0c00da0157 110138 net extra libnss-ldap_258-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBRxqbvqVTksHk9ElFAQHSlwQAgPMg5t7+hKmLfgS4PAy7quMsFe3wuy3P
pj4lECJRESahwflT2G4e2fCQK7VMhpFjGZ+cIjQyZwSnAJY1mwjvXeFMsODLbtrC
p6l0v1nBay7gBRJfojRB9doz/3rF2AuzPdXh3bncdJ1bBpLwgyLAO9hODxTxEusM
Pe4+cLxJT7g=
=6T0r
-----END PGP SIGNATURE-----

Message #44 received at 425379@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@luon.net>

To: 425379@bugs.debian.org, cowboy@debian.org

Subject: Re: Bug#425379 closed by Richard A Nelson (Rick) <cowboy@debian.org> (Bug#425379: fixed in libnss-ldap 258-1)

Date: Sat, 5 Jan 2008 13:13:07 +0100

On Sat, Jan 05, 2008 at 11:11:39AM +0000, Debian Bug Tracking System wrote:
>      - nss_ldap constructs LDAP URIs incorrectly        closes: #425379

Unfortunately, it still goes wrong.. I'm seeing libnss-ldap trying to connect
to port 389, while the config says ldaps.

  Sjoerd

Message #49 received at 425379@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson <cowboy@debian.org>

To: 425379@bugs.debian.org

Subject: libnss-ldap/ssl

Date: Thu, 3 Jul 2008 05:13:32 +0000 (UTC)

do you have any of the ssl options set in the conf file ?

There is an upstream bug about this issue and its not clear what is
going to happen :(

-- 
Rick Nelson
<n3tg0d> has /usr/bin/emacs been put into /etc/shells yet?  :P

Message #54 received at 425379@bugs.debian.org (full text, mbox, reply):

From: terry inzauro <tinzauro@ha-solutions.net>

To: Debian Bug Tracking System <425379@bugs.debian.org>

Subject: upgrade from etch-> lenny breaks libnss-ldap

Date: Thu, 23 Jul 2009 13:18:57 -0500

Package: libnss-ldap
Version: 261-2.1
Followup-For: Bug #425379



-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldap depends on:
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libsasl2-2      2.1.22.dfsg1-23+lenny1   Cyrus SASL - authentication abstra

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   184-4.2    Pluggable Authentication Module fo
ii  nscd                          2.7-18     GNU C Library: Name Service Cache 

libnss-ldap suggests no packages.




When upgrading from etch to lenny,  libnss-ldap and TLS breaks.  The issue is resolved by installing libnss-ldapd.  I am uncertain what the differences are, but I think it is related to the switch from openss to gnutls.  A google search reported similiar issues.


Issue with:
        http://packages.debian.org/lenny/libnss-ldap

Fixed with:
        http://packages.debian.org/lenny/libnss-ldapd


jenna:~# uname -a
Linux jenna 2.6.26-2-686 #1 SMP Sun Jun 21 04:57:38 UTC 2009 i686 GNU/Linux

jenna:~# cat /etc/debian_version
5.0.2


# -------------------------------------------------
jenna:~# dpkg -I libnss-ldapd_0.6.7.1_i386.deb
 new debian package, version 2.0.
 size 109212 bytes: control archive= 11844 bytes.
      18 bytes,     1 lines      conffiles
    5982 bytes,   214 lines   *  config               #!/bin/sh
     893 bytes,    22 lines      control
     683 bytes,    10 lines      md5sums
    8203 bytes,   283 lines   *  postinst             #!/bin/sh
     613 bytes,    30 lines   *  postrm               #!/bin/sh
     263 bytes,    11 lines   *  prerm                #!/bin/sh
   15034 bytes,   188 lines      templates
 Package: libnss-ldapd
 Source: nss-ldapd
 Version: 0.6.7.1
 Architecture: i386
 Maintainer: Arthur de Jong <adejong@debian.org>
 Installed-Size: 244
 Depends: libc6 (>= 2.7-1), libkrb53 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libsasl2-2, debconf | debconf-2.0, adduser
 Recommends: nscd, libpam-ldap
 Conflicts: libnss-ldap
 Provides: libnss-ldap
 Section: net
 Priority: extra
 Homepage: http://ch.tudelft.nl/~arthur/nss-ldapd
 Description: NSS module for using LDAP as a naming service
  This package provides a Name Service Switch module that allows your LDAP
  server to provide user account, group, host name, alias, netgroup, and
  basically any other information that you would normally get from /etc flat
  files or NIS.
  .
  This is a fork from libnss-ldap implementing structural design changes
  to fix, amongst other things, problems related to host name lookups and
  name lookups during booting.
# -------------------------------------------------

# -------------------------------------------------
jenna:~# dpkg -I libnss-ldap_261-2.1_i386.deb

 new debian package, version 2.0.
 size 109036 bytes: control archive= 24925 bytes.
    2847 bytes,    97 lines   *  config               #!/usr/bin/perl
     806 bytes,    17 lines      control
    1185 bytes,    16 lines      md5sums
    4474 bytes,   189 lines   *  postinst             #!/bin/sh
     349 bytes,    18 lines   *  postrm               #!/bin/sh
   61516 bytes,   733 lines      templates
 Package: libnss-ldap
 Version: 261-2.1
 Architecture: i386
 Maintainer: Richard A Nelson (Rick) <cowboy@debian.org>
 Installed-Size: 248
 Depends: libc6 (>= 2.7-1), libcomerr2 (>= 1.01), libkrb53 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libsasl2-2, debconf | debconf-2.0
 Recommends: nscd, libpam-ldap
 Section: net
 Priority: extra
 Description: NSS module for using LDAP as a naming service
  This package provides a Name Service Switch that allows your LDAP server
  act as a name service. This means providing user account information,
  group id's, host information, aliases, netgroups, and basically anything
  else that you would normally get from /etc flat files or NIS.
  .
  If used with glibc 2.1's nscd (Name Service Cache Daemon) it will help
  reduce your network traffic and speed up lookups for entries.
# -------------------------------------------------

Message #59 received at 425379@bugs.debian.org (full text, mbox, reply):

From: "Terry L. Inzauro" <tinzauro@ha-solutions.net>

To: 425379@bugs.debian.org

Subject: upgrade from etch->lenny breaks sudo-ldap

Date: Thu, 23 Jul 2009 21:21:35 -0500

i am seeing the same behavior (tls is not functioning) with
sudo-ldap_1.6.9p17-2_i386.deb.


[21:15:17 toor@jenna:archives]$ sudo ls /
LDAP Config Summary
===================
uri          ldap://host1.oma.example.net ldap://host2.oma.example.net
ldap_version 3
sudoers_base ou=sudoers,ou=oma,dc=example,dc=net
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  15000
timelimit    15
ssl          start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ssl/certs/ca.crt
===================
sudo: ldap_initialize(ld, ldap://host1.oma.example.net ldap://host2.oma.example.net)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/certs/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 15)

sudo: ldap_start_tls_s(): Connect error


[21:10:52 toor@jenna:archives]$ dpkg -I sudo-ldap_1.6.9p17-2_i386.deb
 new debian package, version 2.0.
 size 188332 bytes: control archive= 2525 bytes.
      33 bytes,     2 lines      conffiles
     642 bytes,    18 lines      control
    1674 bytes,    25 lines      md5sums
    1831 bytes,    64 lines   *  postinst             #!/usr/bin/perl
     170 bytes,     7 lines   *  postrm               #!/bin/sh
     260 bytes,    11 lines   *  prerm                #!/bin/sh
 Package: sudo-ldap
 Source: sudo
 Version: 1.6.9p17-2
 Architecture: i386
 Maintainer: Bdale Garbee <bdale@gag.com>
 Installed-Size: 460
 Depends: libc6 (>= 2.7-1), libldap-2.4-2 (>= 2.4.7), libpam0g (>= 0.99.7.1), libpam-modules
 Conflicts: sudo
 Replaces: sudo
 Provides: sudo
 Section: admin
 Priority: optional
 Description: Provide limited super user privileges to specific users
  Sudo is a program designed to allow a sysadmin to give limited root
  privileges to users and log root activity.  The basic philosophy is to give
  as few privileges as possible but still allow people to get their work done.
  .
  This version is built with LDAP support.

Message #64 received at 425379-done@bugs.debian.org (full text, mbox, reply):

From: Arthur de Jong <adejong@debian.org>

To: Sjoerd Simons <sjoerd@luon.net>, 425379-done@bugs.debian.org

Subject: Re: Bug#425379: closed by Richard A Nelson (Rick) <cowboy@debian.org> (Bug#425379: fixed in libnss-ldap 258-1)

Date: Sat, 31 Aug 2013 00:13:04 +0200

[Message part 1 (text/plain, inline)]

Version: libnss-ldap/264-1
Control: retitle -1 libnss-ldap: uses wrong port for ldaps:// URLs
Control: tags -1 + upstream
Control: forwarded -1 http://bugzilla.padl.com/show_bug.cgi?id=379

On Sat, 2008-01-05 at 13:13 +0100, Sjoerd Simons wrote:
> Unfortunately, it still goes wrong.. I'm seeing libnss-ldap trying to connect
> to port 389, while the config says ldaps.

According to:
  http://bugzilla.padl.com/show_bug.cgi?id=379
this problem was fixed in version 264 so I'm closing this bug.

If you can still reproduce the problem, feel free to re-open this bug.

Thanks,

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.