Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Fri, Oct 07, 2005 at 07:17:53PM -0400, SR, ESC wrote:
Le ven 2005-10-07 a 18:57:54 -0400, Simon Law [EMAIL PROTECTED] a dit:
Man, that's too bizarre. Like, Net::LDAP::new _knows_ how to get
https:// and use SSL. If you fire up the Perl debugger, does it at
least try to use SSL?
AFAIK, doesn't seem to: i see lookjups in */ASN1/*/*.pm
(Convert/ASN1/_encode.pm)
but no Net::LDAPS look ups, and it still looks up on port 389:
Net::LDAP::_connect(/usr/lib/perl5/Net/LDAP.pm:119):
119: $ldap-{net_ldap_socket} = IO::Socket::INET-new(
120:PeerAddr = $host,
121:PeerPort = $arg-{port} || '389',
122:Proto= 'tcp',
123:Timeout = defined $arg-{timeout}
124: ? $arg-{timeout}
125: : 120
126: );
DB1
Poking around on your machine, I figured out the problem.
You have an old installation of Net::LDAP in /usr/lib/perl5, but the
correct Debian version is /usr/share/perl5. Unfortunately, @INC prefers
/usr/lib/perl5 because that's for locally installed packages.
I suggest removing the old Net::LDAP from /usr/lib/perl5, because you
don't need it.
When I forced finger-ldap to use Debian's version of the library,
everything worked just peachy.
--
Simon Law http://www.law.yi.org/~sfllaw/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le dim 2005-10-09 a 03:33:07 -0400, Simon Law [EMAIL PROTECTED] a dit: Poking around on your machine, I figured out the problem. You have an old installation of Net::LDAP in /usr/lib/perl5, but the correct Debian version is /usr/share/perl5. Unfortunately, @INC prefers /usr/lib/perl5 because that's for locally installed packages. holy, you're right. i just looked. scary, heh. I suggest removing the old Net::LDAP from /usr/lib/perl5, because you don't need it. will do. When I forced finger-ldap to use Debian's version of the library, everything worked just peachy. nice, thanks. -- Simon Law http://www.law.yi.org/~sfllaw/ -- The only windows I use are in my window manager and my walls. pgpGJ3mSY0tgz.pgp Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Wed, Oct 05, 2005 at 06:01:17AM -0400, SR, ESC wrote: Le mer 2005-10-05 a 03:05:53 -0400, Simon Law [EMAIL PROTECTED] a dit: If you could send the relevant URI, HOST, and PORT sections of your configuration file, I will do my best to reproduce your problem. ok host 192.168.1.150 192.168.1.1 uri ldapi:/// ldapi://%2fvar%2frun%2fldapi ldaps://iskwahtemis.kisikew.org/ ldaps://pylon.kisikew.org/ port 636 CP as-is in the conf. (yeh, 'uri' can be multi-valued ;). I already parse uri correctly. I've been unable to reproduce your problem, although I did solve some other bugs. Please try out http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.15 and see if that works better for you. It's directly from my CVS tree. If it doesn't, could you send me the output of: strace finger simon 21 finger.log -- Simon Law http://www.law.yi.org/~sfllaw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le ven 2005-10-07 a 02:25:01 -0400, Simon Law [EMAIL PROTECTED] a dit: On Wed, Oct 05, 2005 at 06:01:17AM -0400, SR, ESC wrote: Le mer 2005-10-05 a 03:05:53 -0400, Simon Law [EMAIL PROTECTED] a dit: If you could send the relevant URI, HOST, and PORT sections of your configuration file, I will do my best to reproduce your problem. ok host 192.168.1.150 192.168.1.1 uri ldapi:/// ldapi://%2fvar%2frun%2fldapi ldaps://iskwahtemis.kisikew.org/ ldaps://pylon.kisikew.org/ port 636 CP as-is in the conf. (yeh, 'uri' can be multi-valued ;). I already parse uri correctly. np, didn't know if you knew or not. I've been unable to reproduce your problem, although I did solve some other bugs. :(. i hear that so often ... :(. and i keep checking for rootkits, and other crap like that, have IDSes running... *sigh* oh well. Please try out http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.15 and see if that works better for you. It's directly from my CVS tree. doing so now... ./finger-ldap: Could not bind to LDAP servers: Unexpected EOF attaching the strace -o /tmp/finger.trace ./finger-ldap simon output. If it doesn't, could you send me the output of: strace finger simon 21 finger.log -- Simon Law http://www.law.yi.org/~sfllaw/ -- make zImage, not war. finger.trace.gz Description: application/gunzip pgpU5ZTwdLuzZ.pgp Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Fri, Oct 07, 2005 at 04:27:04PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 02:25:01 -0400, Simon Law [EMAIL PROTECTED] a dit: Please try out http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.15 and see if that works better for you. It's directly from my CVS tree. doing so now... ./finger-ldap: Could not bind to LDAP servers: Unexpected EOF attaching the strace -o /tmp/finger.trace ./finger-ldap simon output. Hmm... Your server is hanging up on you. Could you try http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.16 and see if my patch helps. It looks like one of your servers drops the connexion on you. -- Simon Law http://www.law.yi.org/~sfllaw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le ven 2005-10-07 a 16:44:32 -0400, Simon Law [EMAIL PROTECTED] a dit:
On Fri, Oct 07, 2005 at 04:27:04PM -0400, SR, ESC wrote:
Hmm... Your server is hanging up on you. Could you try
yeh i noticed. i was just running it through 'perl -dT'. it's because of the
cert, it matches the FQDN and not
IP, which host in libnss-ldap.conf is, so it drops it, due to the
port setting. educated guess, anyway.
http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.16
and see if my patch helps. It looks like one of your servers drops the
connexion on you.
DB1
Net::LDAP::Message::server_error(/usr/lib/perl5/Net/LDAP/Message.pm:79):
79: exists $self-{errorMessage}
80: ? $self-{errorMessage}
81: : undef
DB1
main::query_ldap(./finger-ldap:209):
209:die ($program: $error\n) if ($error);
DB1
./finger-ldap: Could not bind to LDAP servers: Unexpected EOF
at ./finger-ldap line 209
main::query_ldap('HASH(0x10558a84)') called at ./finger-ldap line 270
main::main() called at ./finger-ldap line 284
Debugged program terminated. Use q to quit or R to restart,
use O inhibit_exit to avoid stopping after program termination,
h q, h R or h O to get additional info.
--
Simon Law http://www.law.yi.org/~sfllaw/
--
The things that will destroy us are: politics without principle;
pleasure without conscience; wealth without work; knowledge without
character; business without morality; science without humanity, and
worship without sacrifice.-- Mahatma Gandhi
pgpnhAAA9D3Ot.pgp
Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Fri, Oct 07, 2005 at 04:52:43PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 16:44:32 -0400, Simon Law [EMAIL PROTECTED] a dit: http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.16 Whoops. I noticed a small bug where I didn't clear $error if it succeeded. http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.17 -- Simon Law http://www.law.yi.org/~sfllaw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le ven 2005-10-07 a 17:09:45 -0400, Simon Law [EMAIL PROTECTED] a dit: On Fri, Oct 07, 2005 at 04:52:43PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 16:44:32 -0400, Simon Law [EMAIL PROTECTED] a dit: http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.16 Whoops. I noticed a small bug where I didn't clear $error if it succeeded. http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.17 ok, both got ./finger-ldap: Bad hostname 'ldaps://pylon.kisikew.org/' zsh: 8029 exit 22./finger-ldap simon i commented out the 'port' and 'host' statements in libnss-ldap.conf, and got that ^. with them present, i get ./finger-ldap simon ./finger-ldap: Could not bind to LDAP servers: Unexpected EOF zsh: 8602 exit 255 ./finger-ldap simon and from slapd.log: Oct 7 21:18:19 pylon slapd[12726]: conn=1209 fd=16 ACCEPT from IP=192.168.1.1:22421 (IP=0.0.0.0:636) Oct 7 21:18:19 pylon slapd[12726]: conn=1209 fd=16 closed (TLS negotiation failure) simon -- Simon Law http://www.law.yi.org/~sfllaw/ -- http://www.nuit.ca/ http://rcw.nuit.ca/ezine/vol_x/x0305.html http://simonraven.nuit.ca/ ARA: http://www.antiracistaction.ca/ Heathens Against Hate: http://home.earthlink.net/~wodensharrow/hah.html pgpgMEXiYf3po.pgp Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Fri, Oct 07, 2005 at 05:19:21PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 17:09:45 -0400, Simon Law [EMAIL PROTECTED] a dit: On Fri, Oct 07, 2005 at 04:52:43PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 16:44:32 -0400, Simon Law [EMAIL PROTECTED] a dit: http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.16 Whoops. I noticed a small bug where I didn't clear $error if it succeeded. http://www.law.yi.org/cgi-bin/viewcvs.cgi/*checkout*/finger-ldap/finger-ldap?rev=1.17 ok, both got ./finger-ldap: Bad hostname 'ldaps://pylon.kisikew.org/' zsh: 8029 exit 22./finger-ldap simon i commented out the 'port' and 'host' statements in libnss-ldap.conf, and got that ^. I'm completely confused by this behaviour. I cannot reproduce this because for me, SSL does work. I don't think this is finger-ldap any more. Does 'ldaps://pylong.kisikew.org' work instead? Also, is your libnet-ldap-perl setup correctly? Do you have an /usr/hsare/perl5/Net/LDAPS.pm? -- Simon Law http://www.law.yi.org/~sfllaw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le ven 2005-10-07 a 18:34:47 -0400, Simon Law [EMAIL PROTECTED] a dit: I'm completely confused by this behaviour. I cannot reproduce this because for me, SSL does work. I don't think this is finger-ldap any more. Does 'ldaps://pylong.kisikew.org' work instead? does for everything else. both hosts resolve to a single IP, the certs are freshly done (the first was done up not so long ago, and the second was re-done [had expired]), the CNs match, and i've been operating like this for a while. have heimdal kerberos working, etc. Also, is your libnet-ldap-perl setup correctly? Do you have an /usr/hsare/perl5/Net/LDAPS.pm? AFAIK, lemme check. -rw-r--r-- 1 root root 1.9K 2005-04-25 18:54 /usr/share/perl5/Net/LDAPS.pm indeed i do (with typo correction *grin*) oh, with the -m switch, it worked perfectly. ./finger-ldap -m simon [it's the v 1.17 checkout]. i don't see any ldap lookups going on, lemme check the other DS's log... none there, but it is working. /me confused -- Simon Law http://www.law.yi.org/~sfllaw/ -- http://www.nuit.ca/http://home.earthlink.net/~wodensharrow/hah.html ,''`. http://www.debian.org/ http://simonraven.nuit.ca/http://www.antiracistaction.ca/ : :' : Debian GNU/Linux http://rcw.nuit.ca/ezine/vol_x/x0305.html ' `- pgphlyVqaIEpH.pgp Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
On Fri, Oct 07, 2005 at 06:47:59PM -0400, SR, ESC wrote: Le ven 2005-10-07 a 18:34:47 -0400, Simon Law [EMAIL PROTECTED] a dit: I'm completely confused by this behaviour. I cannot reproduce this because for me, SSL does work. I don't think this is finger-ldap any more. Does 'ldaps://pylong.kisikew.org' work instead? does for everything else. both hosts resolve to a single IP, the certs are freshly done (the first was done up not so long ago, and the second was re-done [had expired]), the CNs match, and i've been operating like this for a while. have heimdal kerberos working, etc. Hmm... I'm puzzled, really I am. It would be nice if I could get a login on a machine of yours with Perl and strace on it, because I can't really reproduce it here. I'm very sorry about this! Also, is your libnet-ldap-perl setup correctly? Do you have an /usr/hsare/perl5/Net/LDAPS.pm? AFAIK, lemme check. -rw-r--r-- 1 root root 1.9K 2005-04-25 18:54 /usr/share/perl5/Net/LDAPS.pm Man, that's too bizarre. Like, Net::LDAP::new _knows_ how to get https:// and use SSL. If you fire up the Perl debugger, does it at least try to use SSL? indeed i do (with typo correction *grin*) oh, with the -m switch, it worked perfectly. ./finger-ldap -m simon [it's the v 1.17 checkout]. i don't see any ldap lookups going on, lemme check the other DS's log... none there, but it is working. The -m switch is designed to pass things directly to finger.real, without doing any queries. -- Simon Law http://www.law.yi.org/~sfllaw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le ven 2005-10-07 a 18:57:54 -0400, Simon Law [EMAIL PROTECTED] a dit:
On Fri, Oct 07, 2005 at 06:47:59PM -0400, SR, ESC wrote:
does for everything else. both hosts resolve to a single IP, the certs
are freshly done (the first was done up not so long ago, and the
second was re-done [had expired]), the CNs match, and i've been
operating like this for a while. have heimdal kerberos working, etc.
Hmm... I'm puzzled, really I am.
It would be nice if I could get a login on a machine of yours with Perl
and strace on it, because I can't really reproduce it here. I'm very
sorry about this!
i don't usually do this, but since it'll bebnfit others, sure.
sending private e-mail with relevant info.
Man, that's too bizarre. Like, Net::LDAP::new _knows_ how to get
https:// and use SSL. If you fire up the Perl debugger, does it at
least try to use SSL?
AFAIK, doesn't seem to: i see lookjups in */ASN1/*/*.pm
(Convert/ASN1/_encode.pm)
but no Net::LDAPS look ups, and it still looks up on port 389:
Net::LDAP::_connect(/usr/lib/perl5/Net/LDAP.pm:119):
119: $ldap-{net_ldap_socket} = IO::Socket::INET-new(
120:PeerAddr = $host,
121:PeerPort = $arg-{port} || '389',
122:Proto= 'tcp',
123:Timeout = defined $arg-{timeout}
124: ? $arg-{timeout}
125: : 120
126: );
DB1
./finger-ldap -m simon [it's the v 1.17 checkout]. i don't see any
ldap lookups going on, lemme check the other DS's log... none there,
but it is working.
The -m switch is designed to pass things directly to finger.real,
without doing any queries.
ah ok. wasn't working even with -m switch before the fixes.
--
Simon Law http://www.law.yi.org/~sfllaw/
--
Cold pizza and cold coffee, second best thing to cold pizza and warm beer.
-- me
pgpa0czp8GH9v.pgp
Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Package: finger-ldap Version: 1.2-1 Severity: normal hi, finger-ldap -m simon /usr/bin/finger-ldap: Bad hostname 'ldaps://iskwahtemis.kisikew.org/' (2005.10.05)(pts/21)(06:22) (/) ([EMAIL PROTECTED])[22] % finger-ldap -m simon /usr/bin/finger-ldap: Bad hostname 'ldapi://%2fvar%2frun%2fldapi' (2005.10.05)(pts/21)(06:22) (/) ([EMAIL PROTECTED])[22] % finger-ldap -m simon /usr/bin/finger-ldap: Bad service '389' (2005.10.05)(pts/21)(06:22) (/) ([EMAIL PROTECTED])[255] % the DNS resolves for all TCP-based hosts, and the 'bad service' i got when all the hosts (mentioned in the 'uri' statement in libnss-ldap.conf) were commented out. it seem to puke on line 171 or 172, after it hits the 'next;' function in that sub() (this is from the debian-ditributed script, no local mods have been done on it). it must be said that i use 'port 636' and 'uri ldapi:/// ' in my conf. simon -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (1000, 'unstable'), (998, 'experimental') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.13-pylon Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Versions of packages finger-ldap depends on: ii finger0.17-8 user information lookup program ii libnet-ldap-perl 1:0.33-2 A Client interface to LDAP servers ii libnss-ldap 238-1.1NSS module for using LDAP as a nam ii perl 5.8.7-5Larry Wall's Practical Extraction finger-ldap recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le mer 2005-10-05 a 03:05:53 -0400, Simon Law [EMAIL PROTECTED] a dit: It's a little suspicious that ldapi:// got munged, but I'll look into it. i'm not sure if Net::LDAP supports UNIX sockets, but i thought it did. Well, finger-ldap doesn't parse out the 'port' syntax, mostly because I forgot! oops :). If you could send the relevant URI, HOST, and PORT sections of your configuration file, I will do my best to reproduce your problem. ok host 192.168.1.150 192.168.1.1 uri ldapi:/// ldapi://%2fvar%2frun%2fldapi ldaps://iskwahtemis.kisikew.org/ ldaps://pylon.kisikew.org/ port 636 CP as-is in the conf. (yeh, 'uri' can be multi-valued ;). thanks -- Simon Law http://www.law.yi.org/~sfllaw/ -- http://www.nuit.ca/http://home.earthlink.net/~wodensharrow/hah.html ,''`. http://www.debian.org/ http://simonraven.nuit.ca/http://www.antiracistaction.ca/ : :' : Debian GNU/Linux http://rcw.nuit.ca/ezine/vol_x/x0305.html ' `- pgpvjMcubPYD4.pgp Description: PGP signature
Bug#332217: finger-ldap: bad hostname: ldaps://foo
Le mer 2005-10-05 a 03:05:53 -0400, Simon Law [EMAIL PROTECTED] a dit: oh, i should mention that - for ldapsearch, et al., ldap.conf, and slapd.conf - that URI is the preferred way To Do Things, since HOST and PORT are deprecated in oldap 2.1.x and up. so if the parsing can be based on URI, you can make it future-proof. i don't have mad enough perl skillz to do it, but it's be a rather simple matter of reading the $proto_scheme:// to figure out the port (if any) that Net::LDAP should connect to the server with. -- We can use symlinks of course... syslogd would be a symlink to syslogp and ftpd and ircd would be linked to ftpp and ircp... and of course the point-to-point protocol paenguin. -- Kevin M. Bealer, commenting on the penguin Linux logo pgpBPNheMaIBo.pgp Description: PGP signature
