Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
Alexander Gattin wrote: Hi! On Mon, Apr 03, 2006 at 01:42:09PM +0100, Greg Matthews wrote: I have no simple way of testing this as I have no host with this version. Alexander... I've bitten the bullet and installed a fresh testing on my desktop. The bug does appear to be history on this platform. I cant reproduce it. Yeah, I understand you very well indeed. :) E.g. I have a problem with apcupsd-cgi on one Debian/testing host while everything is OK on 2 Sarge hosts. Maintainer of apcupsd-cgi suggested me to upgrade one stable host to testing and check whether the problem appears. ;) I wasnt able to dist-upgrade, ended up with a slightly crippled box. So rest of day reinstalling and moving from evolution to thunderbird (evolution freezing too often - I had enough of it). There was one ldap related issue which was to do with having files ldap as a lookup for protocols/services in /etc/nsswitch.conf. This causes udev to not start properly. I need to narrow it down to one of the above - my suspicion is protocols. Obviously, udev not coming up makes the host pretty useless. OK. But I think it's not the right time to clese this bug. Christian, please wait a bit. I'll check the setup on sarge to see whether it has any security impact or not. Security-related bugs should be fixed in stable AFAIR. And I have A LOT ;) of sarge hosts in Lab, all of them _will_ be promoted from NIS to LDAP, anyway. Contrary to Greg's situation, it's not a matter of hosts availability but availability of time... GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
On Thu, 2006-03-30 at 23:46 +0300, Alexander Gattin wrote: So, I think testing/unstable system is free from bug #277767. Greg, I'll check it on sarge soon. If you like, you may check it on testing system on your side to see whether it is actually fixed in Debian/testing or not. I have no simple way of testing this as I have no host with this version. Main problem is that if you upgrade a sarge system to Debian/testing, you won't be able to return to Debian/stable easily as libc6 will be upgraded (this is one-way ticket unfortunately). yes, and I have a limited number of Debian hosts at my disposal... if I do manage to check against testing/unstable, I'll post to the bug report to confirm fix or reopen. G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
Hi! On Mon, Apr 03, 2006 at 01:42:09PM +0100, Greg Matthews wrote: I have no simple way of testing this as I have no host with this version. Yeah, I understand you very well indeed. :) E.g. I have a problem with apcupsd-cgi on one Debian/testing host while everything is OK on 2 Sarge hosts. Maintainer of apcupsd-cgi suggested me to upgrade one stable host to testing and check whether the problem appears. ;) yes, and I have a limited number of Debian hosts at my disposal... if I do manage to check against testing/unstable, I'll post to the bug report to confirm fix or reopen. OK. But I think it's not the right time to clese this bug. Christian, please wait a bit. I'll check the setup on sarge to see whether it has any security impact or not. Security-related bugs should be fixed in stable AFAIR. And I have A LOT ;) of sarge hosts in Lab, all of them _will_ be promoted from NIS to LDAP, anyway. Contrary to Greg's situation, it's not a matter of hosts availability but availability of time... -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
Hi! On Tue, Mar 28, 2006 at 06:55:46PM +0300, Alexander Gattin wrote: never had too much problem setting up either start_TLS or ldaps security altho I've always used RSA I think. I've got answer in openldap-software maillist, and impressively quickly, what a miracle! %) On Wed, Mar 29, 2006 at 01:12:41AM +, [EMAIL PROTECTED] wrote: There is no support for DSA certificates in OpenLDAP 2.2. It was added in 2.3.12. It was related to DH params handling, as Howard wrote, and effectively DSA certs became supported since 2.3.12. Greg, I tried similar setup to yours, with: login/testing upgradeable from 1:4.0.14-3x4 to 1:4.0.14-9 (locally built) libnss-ldap/testing uptodate 238-1.1 libpam-ldap/testing uptodate 180-1 while you used: login 1:4.0.3-30.1 libnss-ldap 238-1 libpam-ldap 178-1sarge1 In my setup, `su - ldapxusr` works perfectly -- it processes ~/.ldaprc, looks through ~/certs, starts TLS and does its job well if not straced (otherwize setgid() fails). I.e. it does not crash/fail. The only issue is when I use /etc/ssl/certs/ which is full of CA certs on my system -- then `su -` hangs for about a minute (ca-certificates package has around 100 certificates...) while checking _all_ of them (don't know why?). So, I think testing/unstable system is free from bug #277767. Greg, I'll check it on sarge soon. If you like, you may check it on testing system on your side to see whether it is actually fixed in Debian/testing or not. Main problem is that if you upgrade a sarge system to Debian/testing, you won't be able to return to Debian/stable easily as libc6 will be upgraded (this is one-way ticket unfortunately). -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
So, I think testing/unstable system is free from bug #277767. Greg, I'll check it on sarge soon. If you like, you may check it on testing system on your side to see whether it is actually fixed in Debian/testing or not. So, a first action would then be closing the bug with appropriate version tagging (ie, send a mail to [EMAIL PROTECTED] with Version: 4.0.3-32) Objections? Whether the bug is or not in sarge is anyway quite unlikely to be enough to justify a fix in sarge, actually. signature.asc Description: Digital signature
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
Hi! On Tue, Mar 28, 2006 at 03:20:31PM +0100, Greg Matthews wrote: On Mon, 2006-03-27 at 23:30 +0300, Alexander Gattin wrote: (I used slapd -d 65535, s_client's debug, tcpdump, then ssldump...). I forgot to mention strace and RTFS, of course. :/ never had too much problem setting up either start_TLS or ldaps security altho I've always used RSA I think. Theres a fair amount of info at the faq-o-matic over at openldap.org I just used admin guide from there -- it's definitely OK. But in my case the same setup plain didn't work, without slapd/logs/dumps providing any clue about why? (some ppl cant stand faq-o-matic tho), and plenty of old war stories on the web - might be worth looking at the itss site over at stanford. otherwise, give me a yell and I'll help if I can. Thank you -- you were quite helpful. might be worth asking on the openldap mailing list I googled through it, found similar problems reported, but none were solved AFAIS (looked like kind of mystery). and/or submitting a bug report. I'd prefer first to subscribe to openldap list and ask there. Then they or me will find solution, for sure. I've already read huge amounts of TFS. -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
