A bug has been found in libldap code that interferes with the value of "require cert" option. It affects libldap built with GnuTLS, as is done in packages supplied by Ubuntu and Debian. The bug causes the value to be read from previously freed memory, often resulting in incorrect or random value being used. This bug has been fixed upstream by the OpenLDAP team, but the fix has not yet been backported to Ubuntu.
Bug 1557248 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557248 The problem you describe may be caused by this bug, or by an unrelated problem. However, in any case Ubuntu libldap packages currently in wily and xenial do not handle "require cert" option correctly. With this in mind, may I ask that you vote for bug 1557248 in order for it to get noticed by Ubuntu maintainers. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1547927 Title: LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and STARTTLS Status in openldap package in Ubuntu: Confirmed Bug description: Tested with vivid and wily... also logged with openldap as http://www.openldap.org/its/index.cgi/Incoming?id=8374 The handling of the LDAP_OPT_X_TLS_REQUIRE_CERT option appears to be different between servers accessed via ldaps:// and ldap:// (plus STARTTLS) URIs. When accessing server with a self-signed certificate, the results are: ldaps:// never OK hard Error: can't contact LDAP server demand Error: can't contact LDAP server allow OK try Error: can't contact LDAP server ldap:// plus explicit ldap_start_tls_s() never OK hard OK demand OK allow OK try OK To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1547927/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp