Bug#521617: libnss-ldapd: "tls_reqcert never" doesn't work

Sat, 28 Mar 2009 17:01:10 -0700 

Package: libnss-ldapd
Version: 0.6.8

With 0.6.7 if I have "tls_reqcert never" in /etc/ldap/ldap.conf then
nslcd can connect to my ldap servers (which unfortunately have
certificate problems and are outside of my administrative control) and
things work quite happily.  The switch to 0.6.8 broke this capability
(almost surely the "clean the environment and set LDAPNOINIT" change
is responsible), even when I put "tls_reqcert never" in my
/etc/nss-ldapd.conf, which notably hasn't been well tested according
to the warning messages.

Without "tls_reqcert never" in /etc/nss-ldapd.conf I just got this:

Mar 28 03:39:41 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server 
ldaps://id.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:41 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server 
ldaps://id3.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:41 deadhour nslcd[11653]: [8c895d] failed to bind to LDAP server 
ldaps://id3.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:41 deadhour nslcd[11653]: [8c895d] failed to bind to LDAP server 
ldaps://id4.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:41 deadhour nslcd[11653]: [8c895d] no available LDAP server found, 
sleeping 1 seconds
Mar 28 03:39:41 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server 
ldaps://id4.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:41 deadhour nslcd[11653]: [6c6125] no available LDAP server found, 
sleeping 1 seconds
Mar 28 03:39:42 deadhour nslcd[11653]: [8c895d] failed to bind to LDAP server 
ldaps://id1.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:42 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server 
ldaps://id1.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:42 deadhour nslcd[11653]: [8c895d] failed to bind to LDAP server 
ldaps://id2.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:42 deadhour nslcd[11653]: [8c895d] no available LDAP server found, 
sleeping 1 seconds
Mar 28 03:39:42 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server 
ldaps://id2.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:39:42 deadhour nslcd[11653]: [6c6125] no available LDAP server found, 
sleeping 1 seconds
Mar 28 03:39:43 deadhour nslcd[11653]: [8c895d] no available LDAP server found
Mar 28 03:39:43 deadhour nslcd[11653]: [6c6125] no available LDAP server found

While I'm not surprised it couldn't establish the connection due to
not being able to verify the certs, the error message could stand to be
more informative.

After adding "tls_reqcert never" to /etc/nss-ldapd.conf the messages
changed slightly to:

Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server 
ldaps://id.sea/: Can't contact LDAP server: No such file or directory
Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server 
ldaps://id3.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server 
ldaps://id4.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server 
ldaps://id1.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server 
ldaps://id2.sea/: Can't contact LDAP server: Operation now in progress
Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] no available LDAP server found, 
sleeping 1 seconds
Mar 28 03:41:03 deadhour nslcd[7158]: [8b4567] no available LDAP server found


Downgrading to 0.6.7 restores normal operation and things work
smoothly.


-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to