Bug#550439: reply
Richard A Nelson wrote: Whilst openldap is built against gnutls, libpam-ldap is built against openssl. Could you-run the server test using openssl s_client ? Hello, it's essentially he same response: p2:~# openssl s_client -connect 10.76.195.82:636 -verify 1 -CAfile /etc/ssl/certs/jp09_cert.pem verify depth is 1 CONNECTED(0003) depth=1 /CN=Juergen Prenzel/ST=Niedersachsen/C=DE/emailaddress=jpre...@gwdg.de/O=Univers verify return:1 depth=0 /CN=10.76.195.82/ST=Niedersachsen/C=DE/emailaddress=jpre...@gwdg.de/O=University verify return:1 --- Certificate chain === ... === Server certificate === ... === -END CERTIFICATE- subject=/CN=10.76.195.82/ST=Niedersachsen/C=DE/emailaddress=jpre...@gwdg.de/O=University issuer=/CN=Juergen Prenzel/ST=Niedersachsen/C=DE/emailaddress=jpre...@gwdg.de/O=Universi --- No client certificate CA names sent --- SSL handshake has read 1969 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHAMIIDOTCCAiGgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBmzEYMBYGA1UEAxMPSnVl === ... === 9RE0wYNy9FahulPiQ== -- Session-ID: ED62D0C703 ... Session-ID-ctx: Master-Key: 4FC86A64B89582E ...DE03B1B326E78DD196C8A0C9118836E8B964E5274495BE44CC21267D5 Key-Arg : None Start Time: 1255229471 Timeout : 300 (sec) Verify return code: 0 (ok) --- I wonder if anyone else has recently met difficulties at this point ... Juergen Prenzel cmdlbiBQc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#550439: libpam-ldap: Fails to verify server certificate in TLS
Package: libpam-ldap Version: 184-4.2 Severity: important After migrating from etch to lenny I can no longer use the the stanza uri ldaps://10.76.195.82 tls_checkpeer yes tls_cacertfile /etc/ssl/certs/jp09_cert.pem in /etc/pam_ldap.conf. If I do the authentication of users fails with the following messages in /var/log/auth.log Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact LDAP server Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: reconnecting to LDAP server... Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact LDAP server Oct 10 04:37:26 p2 sshd[13066]: Failed password for jprenze from ... With tls_checkpeer no it works, but seems less secure. But the certificate works with the server: = p2:/etc/ssl/certs# gnutls-cli -p 636 --x509cafile /etc/ssl/certs/jp09_cert.pem 10.76.195.82 Processed 1 CA certificate(s). Resolving '10.76.195.82'... Connecting to '10.76.195.82:636'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches '10.76.195.82'. # valid since: Fri Oct 9 18:57:47 CEST 2009 # expires at: Thu Jul 5 18:57:47 CEST 2012 # fingerprint: 9B:B2:63:7E:33:47:61:99:C1:9E:5C:59:A9:B0:5B:77 # Subject's DN: CN=10.76.195.82,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen Institute # Issuer's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen Institute - Certificate[1] info: # valid since: Fri Oct 9 18:56:59 CEST 2009 # expires at: Thu Jul 5 18:56:59 CEST 2012 # fingerprint: 3C:40:EF:D2:BC:35:71:57:0A:77:56:CA:9B:A0:54:AB # Subject's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen Institute # Issuer's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen Institute - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: == I guess that libpam-ldap somehow ignores the tls_cacertfile parameter. Juergen Prenzel -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-ldap depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l libpam-ldap recommends no packages. Versions of packages libpam-ldap suggests: ii libnss-ldapd [libnss-ldap]0.6.7.1NSS module for using LDAP as a nam -- debconf information: * shared/ldapns/base-dn: dc=example,dc=net * shared/ldapns/ldap-server: ldapi:/// libpam-ldap/pam_password: crypt libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net * libpam-ldap/rootbinddn: cn=manager,dc=example,dc=net * libpam-ldap/dbrootlogin: true libpam-ldap/override: true * shared/ldapns/ldap_version: 3 * libpam-ldap/dblogin: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#409342: missing DNS in nsswitch.conf brakes libnss-ldap service
Package: libnss-ldap Version: 251-7.1 A missing call to service DNS in /etc/nsswitch.conf makes the nsswitch system unuseable without error message, even if DNS is nor really needed. My /etc/libnss-ldap.conf is cut uri ldaps://10.76.195.82 ldaps://10.76.192.88 tls_checkpeer yes tls_cacert /etc/ssl/certs/cacert.pem ldap_version 3 bind_policy hard nss_reconnect_maxconntries 2 nss_reconnect_sleeptime 2 nss_reconnect_maxsleeptime 10 nss_reconnect_tries 2 base dc=ibw,dc=forst,dc=uni-goettingen,dc=de pam_filter objectclass=posixAccount pam_min_uid 1 nss_base_passwd ou=Leute,dc=ibw,dc=forst,dc=uni-goettingen,dc=de?one nss_base_shadow ou=Leute,dc=ibw,dc=forst,dc=uni-goettingen,dc=de?one nss_base_passwd ou=HostIds,dc=ibw,dc=forst,dc=uni-goettingen,dc=de?one nss_base_group ou=Gruppen,dc=ibw,dc=forst,dc=uni-goettingen,dc=de?one nss_base_hosts ou=HostIds,dc=ibw,dc=forst,dc=uni-goettingen,dc=de?one ---cut--- My /etc/nsswitch.conf is ---cut--- passwd: files ldap group: files ldap shadow: files ldap hosts: files ldap networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis ---cut--- If I call 'getent passwd' I get only the contents of the local /etc/passwd file and the process __hangs indefinitely__. There is no error message in syslog. I would expect an error message at least. A configuration without DNS seems not unreaonable to me. In fact, the present server is a printer server. Nobody would need connections to the worldwide net from here. LDAP should cope with the local IP addresses and the Addresses of the LDAP servers are specified in numerical form anyway. I found a workaround, after _long_ experimentation: A line in /etc/nsswitch.conf reading hosts: files dns ldap resolves the problem. Even hosts: files works. So it is LDAP that needs DNS even with numerical URIs. I am using debian 4.0, kernel 2.6.18-3-486, libc-2.3.6.so, libldap-2.3.so.0.2.18, libldap_r.so.2.0.130, libldap.so.2.0.130 -- --- Juergen Prenzel Institut fuer Bodenkunde und Waldernaehrung Buesgenweg 2 D-37077 Goettingen Tel.: +49/551/39-12104 Fax: +49/551/39-3310 email: [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
