Bug#550439: marked as done (libpam-ldap: Fails to verify server certificate in TLS)

[Debian Bug Tracking System]

Your message dated Tue, 28 Feb 2023 15:13:40 +0000
with message-id <e1px1fg-00azmm...@fasolo.debian.org>
and subject line Bug#1032123: Removed package(s) from unstable
has caused the Debian Bug report #550439,
regarding libpam-ldap: Fails to verify server certificate in TLS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
550439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-ldap
Version: 184-4.2
Severity: important


After migrating from etch to lenny I can no longer use the the stanza

  uri ldaps://10.76.195.82
  tls_checkpeer yes
  tls_cacertfile /etc/ssl/certs/jp09_cert.pem

in /etc/pam_ldap.conf. If I do the authentication of users fails with the following messages

in /var/log/auth.log

Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: reconnecting to LDAP server...

Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Oct 10 04:37:26 p2 sshd[13066]: Failed password for jprenze from ...

With

 tls_checkpeer no

it works, but seems less secure.

But the certificate works with the server:

=========================================================

p2:/etc/ssl/certs# gnutls-cli -p 636 --x509cafile /etc/ssl/certs/jp09_cert.pem 10.76.195.82

Processed 1 CA certificate(s).
Resolving '10.76.195.82'...
Connecting to '10.76.195.82:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.

- Certificate[0] info:
# The hostname in the certificate matches '10.76.195.82'.
# valid since: Fri Oct  9 18:57:47 CEST 2009
# expires at: Thu Jul  5 18:57:47 CEST 2012
# fingerprint: 9B:B2:63:7E:33:47:61:99:C1:9E:5C:59:A9:B0:5B:77

# Subject's DN: CN=10.76.195.82,ST=Niedersachsen,C=DE,EMAIL=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen

Institute

# Issuer's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,EMAIL=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen

Institute

- Certificate[1] info:
# valid since: Fri Oct  9 18:56:59 CEST 2009
# expires at: Thu Jul  5 18:56:59 CEST 2012
# fingerprint: 3C:40:EF:D2:BC:35:71:57:0A:77:56:CA:9B:A0:54:AB

# Subject's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,EMAIL=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen

Institute

# Issuer's DN: CN=Juergen Prenzel,ST=Niedersachsen,C=DE,EMAIL=jpre...@gwdg.de,O=University Goettingen,OU=Buesgen

Institute


- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:
==============================================

I guess that libpam-ldap somehow ignores the tls_cacertfile parameter.

 Juergen Prenzel

-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-ldap depends on:

ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries

ii  libldap-2.4-2             2.4.11-1       OpenLDAP libraries

ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l

libpam-ldap recommends no packages.

Versions of packages libpam-ldap suggests:

ii libnss-ldapd [libnss-ldap] 0.6.7.1 NSS module for using LDAP as a nam

-- debconf information:
* shared/ldapns/base-dn: dc=example,dc=net
* shared/ldapns/ldap-server: ldapi:///
libpam-ldap/pam_password: crypt
libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libpam-ldap/rootbinddn: cn=manager,dc=example,dc=net
* libpam-ldap/dbrootlogin: true
libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: false

--- End Message ---

--- Begin Message ---

Version: 186-4.1+rm

Dear submitter,

as the package libpam-ldap has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1032123

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---