Your message dated Mon, 21 Jan 2008 18:31:18 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#457182: fixed in openldap2.3 2.4.7-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: slapd Version: 2.3.30-5 Severity: grave Justification: renders package unusable Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Denis Sacchet <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: slapd: TLS connections failed after a while Message-ID: <[EMAIL PROTECTED]> X-Mailer: reportbug 3.31 Date: Thu, 20 Dec 2007 11:30:33 +0100 Package: slapd Version: 2.3.30-5 Severity: grave Justification: renders package unusable I use openldap as a centralized authentification storage, used by several services : - apache httpd - pam_ldap (then used by sshd) - nss_ldap - cyrus sasl through saslauthd (then used by postfix and cyrus imapd) - egroupware As the server is open on the internet, I refuse unencrypted connections to LDAP server by forcing TLS encryption (so through port 389). I use certificate generated by a local CA (so it is not a self signed certificate, but a certificated signed by a personnal CA). Everything works perfectly for 1 days, sometimes longer, and suddenly, we cannot connect anymore to the LDAP server, a trace gave the following information : TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure I speak a while on the openldap mailling list, after several exchanges, it seems there is a conflict between slapd, libldap-2.3-0 and libldap2. Indeed, libldap2 is linked againt GNUTLS, while slapd, libldap-2.3-0 are linked againt OpenSSL ... The answer of the OpenLDAP developers is "It will be fixed with openldap 2.4.x developed for GNUTLS, and when Debian's developers will integrate this version". (if you want to take a look at the discussion on the mailing list, you can search for subject : "Strange TLS behaviour with slapd 2.3.30 on Debian Etch" on the [EMAIL PROTECTED] mailing list) During this time, everyday, I need to restart all the services (I don't know why, crontab doesn't work also when the problems occurs, perhaps a link with pam/nss), and all the services are no longer available until that ... I can provide trace, log, etc ... as requested, I have a lot of information about the problem, and the problem is reproducible. Thanks in advance for your attention Best regards Denis Sacchet -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21.1dedibox-r7 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Versions of packages slapd depends on: ii adduser 3.102 Add and remove users and groups ii coreutils 5.97-5.3 The GNU core utilities ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [ ii libiodbc2 3.52.4-5 iODBC Driver Manager ii libldap-2.3-0 2.3.30-5 OpenLDAP libraries ii libltdl3 1.5.22-4 A system independent dlopen wrappe ii libperl5.8 5.8.8-7etch1 Shared Perl library ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library ii libslp1 1.2.1-6.2 OpenSLP libraries ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii perl [libmime-base64-p 5.8.8-7etch1 Larry Wall's Practical Extraction ii psmisc 22.3-1 Utilities that use the proc filesy Versions of packages slapd recommends: ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f -- debconf information: slapd/password_mismatch: slapd/fix_directory: true slapd/invalid_config: true shared/organization: nodomain slapd/upgrade_slapcat_failure: slapd/upgrade_slapadd_failure: slapd/backend: BDB slapd/dump_database: when needed slapd/allow_ldap_v2: false slapd/no_configuration: false slapd/migrate_ldbm_to_bdb: true slapd/move_old_database: true slapd/suffix_change: false slapd/slave_databases_require_updateref: slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/autoconf_modules: true slapd/purge_database: false slapd/domain: nodomain -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21.1dedibox-r7 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Versions of packages slapd depends on: ii adduser 3.102 Add and remove users and groups ii coreutils 5.97-5.3 The GNU core utilities ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [ ii libiodbc2 3.52.4-5 iODBC Driver Manager ii libldap-2.3-0 2.3.30-5 OpenLDAP libraries ii libltdl3 1.5.22-4 A system independent dlopen wrappe ii libperl5.8 5.8.8-7etch1 Shared Perl library ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library ii libslp1 1.2.1-6.2 OpenSLP libraries ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii perl [libmime-base64-p 5.8.8-7etch1 Larry Wall's Practical Extraction ii psmisc 22.3-1 Utilities that use the proc filesy Versions of packages slapd recommends: ii libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules f -- debconf information excluded
--- End Message ---
--- Begin Message ---Source: openldap2.3 Source-Version: 2.4.7-2 We believe that the bug you reported is fixed in the latest version of openldap2.3, which is due to be installed in the Debian FTP archive: ldap-utils_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/ldap-utils_2.4.7-2_amd64.deb libldap-2.4-2-dbg_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.7-2_amd64.deb libldap-2.4-2_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/libldap-2.4-2_2.4.7-2_amd64.deb libldap2-dev_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/libldap2-dev_2.4.7-2_amd64.deb openldap2.3_2.4.7-2.diff.gz to pool/main/o/openldap2.3/openldap2.3_2.4.7-2.diff.gz openldap2.3_2.4.7-2.dsc to pool/main/o/openldap2.3/openldap2.3_2.4.7-2.dsc openldap2.3_2.4.7.orig.tar.gz to pool/main/o/openldap2.3/openldap2.3_2.4.7.orig.tar.gz slapd-dbg_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/slapd-dbg_2.4.7-2_amd64.deb slapd_2.4.7-2_amd64.deb to pool/main/o/openldap2.3/slapd_2.4.7-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve Langasek <[EMAIL PROTECTED]> (supplier of updated openldap2.3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 21 Jan 2008 06:13:21 -0800 Source: openldap2.3 Binary: slapd libldap-2.4-2 ldap-utils libldap2-dev slapd-dbg libldap-2.4-2-dbg Architecture: source amd64 Version: 2.4.7-2 Distribution: unstable Urgency: low Maintainer: Debian OpenLDAP Maintainers <[EMAIL PROTECTED]> Changed-By: Steve Langasek <[EMAIL PROTECTED]> Description: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) Closes: 221173 258931 260118 262539 320072 381788 391899 393215 407334 411413 412706 428385 428468 432662 438127 447224 448061 448935 449354 449442 451158 451325 452632 452749 452833 453318 453341 453411 457182 458215 Changes: openldap2.3 (2.4.7-2) unstable; urgency=low . * Temporarily drop slapi-dev from the package to get through NEW; this functionality should be readded later, either by restoring the slapi-dev package or by moving it to libldap2-dev, depending on the outcome of discussion with the ftp-masters. . openldap2.3 (2.4.7-1) unstable; urgency=low . [ Steve Langasek ] * New upstream version; closes: #449354. - remove another schema from upstream source, collective.schema, that contains text from the IETF RFCs and include a stripped copy in debian/schema. - drop patches slurpd-in-spool and man-slurpd, since slurpd is no longer provided upstream. - libldap2.3-0 is now libldap2.4-2 - build libldap2-dev from this source package now, superseding openldap2; closes: #428385, #260118, #262539, #391899, #393215. - lastmod and denyop have been moved to contrib upstream and are no longer shipped as supported overlays - drop dependency on libldap2 and take ownership of the /etc/ldap/ldap.conf conffile, since libldap2 is now obsolete - need to dump and reload databases again for the upgrade from 2.3.39. - ldap_init(3) no longer attempts to document the internals of the LDAP opaque type. Closes: #320072. - ldap-utils utilities find LDAP servers via SRV records when given a URL with -H and no host in the URL. Closes: #221173. - if the old slapd.conf included any replica commands, automatically enable syncprov for the corresponding database and print an error with debconf. * slapd.conf and DB_CONFIG are used in the postinst, they shouldn't be shipped under doc/examples because /usr/share/doc can't be depended on per policy; ship the files under /usr/share/slapd and symlink the /other/ way, which also spares us from dh_compress trying to gzip slapd.conf. Closes: #452749. * Drop libldap.so as was done for libldap2, making it a link to libldap_r.so to avoid unfortunate symbol collisions. * Add new patch, libldap-symbol-versions, to build libldap and liblber with symbol versions; needed to avoid segfaults when applications manage to pull both libldap2 and the new libldap-2.4-2 into the same process (as during a partial upgrade or the initial soname transition), and also when the library soname changes again in the future (as it's likely to do). * Reintroduce add-autogen-sh patch, with build deps on libtool, automake, and autoconf, required due to the previous patch; this time around, take care to clean up the autogenerated files in the clean target as well * Build-depend on libgnutls-dev instead of on libssl-dev, so that at long last we can build the server and lib from the same source package again without licensing problems. Closes: #457182, #407334, #428468, #381788. Closes: #412706. * slapd.prerm, slapd.postinst: drop no-longer-needed upgrade code for openldap < 2.1.22 * Ask about ldbm to bdb migration in the preinst, since there is no guarantee that the debconf config script will be run before the unpack phase. * Don't stop slapd in the preinst by hand, the prerm already stops the old slapd using the standard interfaces. * Don't build with LAN Manager password support; these passwords are more insecure than traditional Unix crypt, and only relevant when talking to Windows 98. * Move libslapi into the slapd package and provide a virtual package for library dependencies, since this is expected to stay lockstep with the server. * Split slapi dev support into a new libslapi-dev package, as this is unrelated to libldap; and drop libslapi.a since it would be insane to try to statically link a dynamically-loaded slapi plugin. * "checkpoint" directives are no longer supported as part of the backend config, only as part of the database config; move the lines around in slapd.conf on upgrade. * "schemacheck" directives are no longer supported; comment them out on upgrade since this option was set by default in sarge. * Package description updates; thanks to Christian Perrier <[EMAIL PROTECTED]> and the Smith review project for these improvements. * Incorporate debconf template changes suggested by the debian-l10n-english team as part of the Smith review project. Closes: #447224. . [ Russ Allbery ] * Removed fix_ldif and all remaining code to try running it on LDIF dumps. Schema checking has been imposed since 2.1 and it's highly unlikely that anyone still needs this. * Move the checkpoint directive in the default slapd.conf below the database and suffix directives for the primary database. This is now required for OpenLDAP 2.4. * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640 by default so that slapindex and friends can read it when run as the openldap user. Fix permissions on upgrade if slapd.conf is owned by root and mode 600. Closes: #432662. * Drop slapd patch to read slapd.conf before dropping privileges, since slapd.conf should now be readable by SLAPD_GROUP. * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume the cn=config backend is used and start slapd with the appropriate options. Based on a patch from Mike Burr. Closes: #411413. * Rework slapd's README.Debian: - Document the BerkeleyDB version. Closes: #438127. - Document how to direct slapd's logs to another file. Closes: #258931. - Remove obsolete information about TLS/SSL and OpenLDAP 2.0 upgrades. - Recommend HDB instead of BDB. - Generally reformat and reorganize. * Patch cleanup: - Combine the NTLM patches for Evolution into a single patch. - Add explanatory comments to every patch. - Refresh all patches to remove diff garbage and trailing whitespace. * debian/rules cleanup: - Fix patch dependencies for parallel build (hopefully). - Tell configure the system type. - Rewrite upstream_strip_nondfsg.sh as a get-orig-source target. - Remove stamp files as the first step of the clean target. - Add trivial build-arch and build-indep targets. - Remove dead code and unnecessary comments. * Remove postrm code to delete /var/lib/slapd/upgrade* flag files. We haven't used those since the 2.1 upgrade. * Update Vcs-* headers for new repository layout. * Remove versioned dependency on an ancient dpkg-dev. * Wrap and reorder Build-Depends for readability. . [ Updated debconf translations ] * Czech, thanks to Miroslav Kure <[EMAIL PROTECTED]>. Closes: #458215. * German, thanks to Helge Kreutzmann <[EMAIL PROTECTED]>. Closes: #452833. * Spanish * Finnish, thanks to Esko Arajärvi <[EMAIL PROTECTED]>. Closes: #448061. * French, thanks to Christian Perrier <[EMAIL PROTECTED]>. Closes: #452632. * Galician, thanks to Jacobo Tarrio <[EMAIL PROTECTED]>. Closes: #451158. * Italian, thanks to Luca Monducci <[EMAIL PROTECTED]>. Closes: #449442. * Japanese, thanks to Kenshi Muto <[EMAIL PROTECTED]>. Closes: #451325. * Dutch, thanks to Bart Cornelis <[EMAIL PROTECTED]>. Closes: #448935. * Brazilian Portuguese * Portuguese, thanks to Tiago Fernandes <[EMAIL PROTECTED]>. Closes: #453341. * Russian, thanks to Yuri Kozlov <[EMAIL PROTECTED]>. Closes: #453318. * Vietnamese, thanks to Clytie Siddall <[EMAIL PROTECTED]>. Closes: #453411. Files: 570b101f6cd998a7d70db1a49c6d2bf1 1388 net optional openldap2.3_2.4.7-2.dsc aa22bd9f636d66785191716d2d127acd 132176 net optional openldap2.3_2.4.7-2.diff.gz eb8d65b07930a681acdc2b100ab57649 3469367 net optional openldap2.3_2.4.7.orig.tar.gz 861962685143f28a05f56bfc6a280e56 1401080 net optional slapd_2.4.7-2_amd64.deb bbd542def71ed5dd4f2ce88ea7ca8fa7 259734 net optional ldap-utils_2.4.7-2_amd64.deb be80baf12c8baa28571de35336051b85 198072 libs optional libldap-2.4-2_2.4.7-2_amd64.deb 2436774125993d3f464f5ab880050b9c 288346 libdevel extra libldap-2.4-2-dbg_2.4.7-2_amd64.deb 1f86c631143e0c7062a595a7fd73416f 834322 libdevel extra libldap2-dev_2.4.7-2_amd64.deb 70c31ecf226e1cce53c7e69314d415bf 3528208 net extra slapd-dbg_2.4.7-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHlLtVKN6ufymYLloRAs77AKCr7EXcuuG2D93YvARXE8O0SXxbUwCfZ/zg vtK2egGbmyTydvkIaYb4KsE= =EvcV -----END PGP SIGNATURE-----
--- End Message ---
