Package: libnss-ldap Version: 261-2 Severity: normal
Hi, After upgrading some systems from etch to lenny we've found that libnss-ldap has trouble connecting to the directory server. The problem turned out to be the following line we had in libnss-ldap.conf: tls_ciphers TLSv1 This is the end of output with "debug 65535": ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x9766c70 ptr=0x9766c73 end=0x9766c88 len=21 0000: 78 13 0a 01 00 04 00 04 0c 53 74 61 72 74 20 54 x........Start T 0010: 4c 53 20 4f 6b LS Ok ber_scanf fmt (}) ber: ber_dump: buf=0x9766c70 ptr=0x9766c88 end=0x9766c88 len=0 ldap_msgfree TLS: could not set cipher list TLSv1. ldap_unbind ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed ldap_err2string The command "openssl ciphers TLSv1" produces the expected cipher list, so OpenSSL still knows about this cipher suite specification. The bug may be in libldap, but ldapsearch does not have an option to set the cipher list like libnss-ldap so I can not easily test that. Gabor -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.27-rc5 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnss-ldap depends on: ii debconf [debconf-2.0] 1.5.23 Debian configuration management sy ii libc6 2.7-13 GNU C Library: Shared libraries ii libcomerr2 1.41.1-3 common error description library ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.10-3 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra Versions of packages libnss-ldap recommends: ii libpam-ldap 184-4.1 Pluggable Authentication Module al ii nscd 2.7-13 GNU C Library: Name Service Cache libnss-ldap suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]