Subject: Bug#266865: marked as done (ldap.conf does not
support the TLS_CACERT directive, but .ldaprc
does)



Your message dated Thu, 19 Aug 2004 17:16:25 +0200
with message-id <20040819151625.GA956@xxxxxxxxxxxxxxx>
and subject line Bug#266865: ldap.conf does not support the TLS_CACERT
directive, but .ldaprc does
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Aug 2004 13:22:16 +0000
>From Sebastien.Varrette@xxxxxxx Thu Aug 19 06:22:16 2004
Return-path: <Sebastien.Varrette@xxxxxxx>
Received: from imag.imag.fr [129.88.30.1]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Bxmrw-0003IQ-00; Thu, 19 Aug 2004 06:22:16 -0700
Received: from imag.fr ([158.64.56.163])
by imag.imag.fr (8.13.0/8.13.0) with ESMTP id i7JDM7UB016766
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <submit@xxxxxxxxxxxxxxx>; Thu, 19 Aug 2004 15:22:09 +0200 (CEST)
Message-ID: <4124A944.6050904@xxxxxxx>
Date: Thu, 19 Aug 2004 15:21:08 +0200
From: Sebastien Varrette <Sebastien.Varrette@xxxxxxx>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413
Debian/1.6-5
X-Accept-Language: en
MIME-Version: 1.0
To: submit@xxxxxxxxxxxxxxx
Subject: ldap.conf does not support the TLS_CACERT directive, but .ldaprc
does
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
X-IMAG-MailScanner: Found to be clean
X-IMAG-MailScanner-Information: Please contact the ISP for more information
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by imag.imag.fr id
i7JDM7UB016766
Delivered-To: submit@xxxxxxxxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_44,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:

Package: ldap-utils
Version: 2.1.30-2


Even if the man page of ldap.conf precise that TLS_CACERT in not a=20
user-only directive, it seems that this option is not supported
when precised in ldap.conf.

I've done the folowing experience:

%------------------------------------------------
[15:12:12]root@smith root# cat /etc/ldap/ldap.conf
BASE dc=3Dgrid5000,dc=3Dnet
URI ldaps://neo

TLS_CERT /etc/ldap/CA-cert.pem
TLS_REQCERT demand

[15:12:12]root@smith root# cat ~/.ldaprc
cat: /root/.ldaprc: No such file or directory

(By default, I'll use TLS):
[15:13:07]root@smith root# ldapsearch -x
ldap_bind: Can't contact LDAP server (81)
additional info: Error in the certificate.
%--------------------------------------------------

Now, if I create a $HOME/.ldaprc file containing
TLS_CERT /etc/ldap/CA-cert.pem
everything goes well:

[15:16:06]root@smith root# cat ~/.ldaprc
TLS_CACERT /etc/ldap/CA-cert.pem

(by default, I'll use TLS):
[15:16:13]root@smith root# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=3D*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


This is always reproductible.
I suggest to correct this problem or to precise in the man page that=20
this is a user-only option.

Best regards


--=20
S=E9bastien VARRETTE |\/\/\/\/\/|
-------------------------------- | |
Ph.D student in Computer Science | __ __|
ID-IMAG Laboratory - Univ. of Luxembourg | / \/ \
(Grenoble, FRANCE) (LUXEMBOURG) | (o )o )
---------------------------------- /C \__/ --.
Mail : Sebastien.Varrette@xxxxxxx \_ , -'
Web : http://www-id.imag.fr/~svarrett/ | '\_______)
Phone : +33 (O)6 74 57 90 05 | _)
---------------------------- | |
Computing Security Research /`-----'\



---------------------------------------
Received: (at 266865-done) by bugs.debian.org; 19 Aug 2004 15:17:02 +0000
>From t.landschoff@xxxxxxx Thu Aug 19 08:17:02 2004
Return-path: <t.landschoff@xxxxxxx>
Received: from tms.rz.uni-kiel.de (uni-kiel.de) [134.245.11.89]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Bxof0-0001Ia-00; Thu, 19 Aug 2004 08:17:02 -0700
Received: from amavis by uni-kiel.de with scanned-ok (Exim 3.33 #1)
id 1BxoeQ-0003nP-00
for 266865-done@xxxxxxxxxxxxxxx; Thu, 19 Aug 2004 17:16:26 +0200
Received: from zaphod.gpi.uni-kiel.de ([134.245.120.1])
by uni-kiel.de with esmtp (Exim 3.33 #1)
id 1BxoeO-0003nH-00
for 266865-done@xxxxxxxxxxxxxxx; Thu, 19 Aug 2004 17:16:24 +0200
Received: from localhost ([127.0.0.1] helo=stargate.galaxy)
by zaphod.gpi.uni-kiel.de with esmtp (Exim 3.35 #1 (Debian))
id 1BxoeN-0006Ar-00
for <266865-done@xxxxxxxxxxxxxxx>; Thu, 19 Aug 2004 17:16:23 +0200
Received: by stargate.galaxy (Postfix, from userid 1000)
id 4ED4B18961; Thu, 19 Aug 2004 17:16:25 +0200 (CEST)
Date: Thu, 19 Aug 2004 17:16:25 +0200
From: Torsten Landschoff <torsten@xxxxxxxxxx>
To: 266865-done@xxxxxxxxxxxxxxx
Subject: Re: Bug#266865: ldap.conf does not support the TLS_CACERT directive,
but .ldaprc does
Message-ID: <20040819151625.GA956@xxxxxxxxxxxxxxx>
References: <4124A944.6050904@xxxxxxx> <20040819141006.GA32202@xxxxxxxxxxxxxxx>
<4124B743.4090103@xxxxxxx>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ"
Content-Disposition: inline
In-Reply-To: <4124B743.4090103@xxxxxxx>
User-Agent: Mutt/1.5.4i
X-Virus-Scanned: by AMaViS 0.3.12 (Uni-Kiel/tms)
Delivered-To: 266865-done@xxxxxxxxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:


--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Aug 19, 2004 at 04:20:51PM +0200, Sebastien Varrette wrote:
> ARGHHHHHHH!

I think I can close this bug then :)

Greetings

Torsten

--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBJMRIdQgHtVUb5EcRAj9bAJ91FUVnqzKuHYm7kQOuCUaCXVg11ACfVd2S
WJphsenIm6DIOnzGWTLmlEo=
=S3AF
-----END PGP SIGNATURE-----

--mP3DRpeJDSE+ciuQ--

_______________________________________________
debian-openldap mailing list
debian-openldap@xxxxxxxxxxx
http://lists.snowman.net/cgi-bin/mailman/listinfo/debian-openldap



Privacy