[Bug 420277] Re: ldap tls refusing to initialize
Christian Roessner
christian at roessner-net.com
Sat Sep 5 17:12:46 BST 2009
I do confirm this.
And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is
broken by design! Do not wonder for strange behavior, if you do not
trust the core developers.
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
I have asked Howard a couple of days ago and he still stays at his
opinion. I think Debian/Ubuntu should not make changes from openssl to
gnutls!
For this bug:
...
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
And by the way: My certs are under /ca/ldapmaster.roessner-net.com
My profile for apparmor was working under intrepid. Upgrading from
intrepid to jaunty does not work.
# Last Modified: Tue Sep 2 13:08:01 2008
# Author: Jamie Strandboge <jamie at ubuntu.com>
#include <tunables/global>
/usr/sbin/slapd flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
/ca/cacert_org.crt r,
/ca/ldapmaster.roessner-net.de/newcert.pem r,
/ca/ldapmaster.roessner-net.de/newkey.pem r,
/etc/gai.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ldap/ldap.conf r,
/etc/ldap/schema/* r,
/etc/ldap/slapd.conf r,
/etc/sasldb2 r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/usr/lib/ldap/ r,
/usr/lib/ldap/* mr,
/usr/sbin/slapd mr,
/var/lib/ldap/ r,
/var/lib/ldap/* rw,
/var/lib/ldap-ov/accesslog r,
/var/lib/ldap-ov/accesslog/* rw,
/var/lib/ldap/alock kw,
/var/lib/ldap-ov/accesslog/alock kw,
/var/run/slapd/* w,
}
No dmesg output that points to problems.
** Changed in: openldap (Ubuntu)
Status: New => Confirmed
--
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list