[Bug 420277] Re: ldap tls refusing to initialize

Christian Roessner christian at roessner-net.com
Sat Sep 5 17:12:46 BST 2009 

I do confirm this.

And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is
broken by design! Do not wonder for strange behavior, if you do not
trust the core developers.

http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

I have asked Howard a couple of days ago and he still stays at his
opinion. I think Debian/Ubuntu should not make changes from openssl to
gnutls!

For this bug:

...
1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

And by the way: My certs are under /ca/ldapmaster.roessner-net.com

My profile for apparmor was working under intrepid. Upgrading from
intrepid to jaunty does not work.

# Last Modified: Tue Sep  2 13:08:01 2008
# Author: Jamie Strandboge <jamie at ubuntu.com>

#include <tunables/global>
/usr/sbin/slapd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  /ca/cacert_org.crt r,
  /ca/ldapmaster.roessner-net.de/newcert.pem r,
  /ca/ldapmaster.roessner-net.de/newkey.pem r,
  /etc/gai.conf r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/ldap/ldap.conf r,
  /etc/ldap/schema/* r,
  /etc/ldap/slapd.conf r,
  /etc/sasldb2 r,
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,
  /usr/lib/ldap/ r,
  /usr/lib/ldap/* mr,
  /usr/sbin/slapd mr,
  /var/lib/ldap/ r,
  /var/lib/ldap/* rw,
  /var/lib/ldap-ov/accesslog r,
  /var/lib/ldap-ov/accesslog/* rw,
  /var/lib/ldap/alock kw,
  /var/lib/ldap-ov/accesslog/alock kw,
  /var/run/slapd/* w,
}

No dmesg output that points to problems.

** Changed in: openldap (Ubuntu)
       Status: New => Confirmed

-- 
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list