Arthur, This datapoint is probably intuitive, but I'll point it out anyway.
I've been running 0.9.2-1wheezy1 (my own backport) on top of wheezy for a while, and never saw this issue. In the last couple of weeks, I switched from unencrypted ldap://ldap to encrypted ldaps://ldap, and now I'm seeing it on around 10% to 20% of boots (with a sample set of about ten boots). I haven't tried with STARTTLS. So anyway: this issue appears to only arise if TLS is used. nslcd.conf diff: uid nslcd gid nslcd -uri ldap://ldap/ +uri ldaps://ldap/ +tls_cacertfile /etc/ssl/certs/com.prisonpc.pem base o=PrisonPC pam_authz_search (&(objectClass=posixGroup)(cn=prisoners)(memberUid=$username)) FTR, workarounds I'm considering are: - stunnel4 on the clients, then plaintext ldap over that. (I'm already doing this for http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection due to problems with chromium.) - build openldap against openssl instead of gnutls. I used to do this to get sudo-ldap to work with PADL libpam-ldap, where gnutls+ldaps+setuid was broken. Obviously neither are appropriate fixes for Debian.
signature.asc
Description: Digital signature
