Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
Alexander Gattin wrote: Hi! On Mon, Apr 03, 2006 at 01:42:09PM +0100, Greg Matthews wrote: I have no simple way of testing this as I have no host with this version. Alexander... I've bitten the bullet and installed a fresh testing on my desktop. The bug does appear to be history on this platform. I cant reproduce it. Yeah, I understand you very well indeed. :) E.g. I have a problem with apcupsd-cgi on one Debian/testing host while everything is OK on 2 Sarge hosts. Maintainer of apcupsd-cgi suggested me to upgrade one stable host to testing and check whether the problem appears. ;) I wasnt able to dist-upgrade, ended up with a slightly crippled box. So rest of day reinstalling and moving from evolution to thunderbird (evolution freezing too often - I had enough of it). There was one ldap related issue which was to do with having files ldap as a lookup for protocols/services in /etc/nsswitch.conf. This causes udev to not start properly. I need to narrow it down to one of the above - my suspicion is protocols. Obviously, udev not coming up makes the host pretty useless. OK. But I think it's not the right time to clese this bug. Christian, please wait a bit. I'll check the setup on sarge to see whether it has any security impact or not. Security-related bugs should be fixed in stable AFAIR. And I have A LOT ;) of sarge hosts in Lab, all of them _will_ be promoted from NIS to LDAP, anyway. Contrary to Greg's situation, it's not a matter of hosts availability but availability of time... GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Progress on this bug report?
On Thu, 2006-03-30 at 23:46 +0300, Alexander Gattin wrote: So, I think testing/unstable system is free from bug #277767. Greg, I'll check it on sarge soon. If you like, you may check it on testing system on your side to see whether it is actually fixed in Debian/testing or not. I have no simple way of testing this as I have no host with this version. Main problem is that if you upgrade a sarge system to Debian/testing, you won't be able to return to Debian/stable easily as libc6 will be upgraded (this is one-way ticket unfortunately). yes, and I have a limited number of Debian hosts at my disposal... if I do manage to check against testing/unstable, I'll post to the bug report to confirm fix or reopen. G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug report?
On Mon, 2006-03-27 at 23:30 +0300, Alexander Gattin wrote: Today I have finally managed to make openldap (slapd) work with TLS/SSL. Initially I tried DSA certs, and this always resulted in SSL handshake failure (no shared cipher), despite all my efforts, including different clients (pam_ldap, ldapsearch, openssl s_client) and attempt to trace root cause of the issue (I used slapd -d 65535, s_client's debug, tcpdump, then ssldump...). never had too much problem setting up either start_TLS or ldaps security altho I've always used RSA I think. Theres a fair amount of info at the faq-o-matic over at openldap.org (some ppl cant stand faq-o-matic tho), and plenty of old war stories on the web - might be worth looking at the itss site over at stanford. otherwise, give me a yell and I'll help if I can. Ultimately, with the same cert/key pair, s_server succeeded with s_client (where slapd didn't). Well, for this I used ldaps:///, because ldap:///+TLS can't work with s_client AFAIU. But anyway this clearly shows there's something wrong with slapd, as s_server works OK under the same conditions... might be worth asking on the openldap mailing list and/or submitting a bug report. Then I created RSA cert of almost the same contents (RSA had email while DSA hadn't) and bitlength. This surprisingly enabled s_client to succeed. I suspect bug in slapd's handling of SSL_CTX or DH params... I'd love to have more time to check and report it. :( It looks like bug is in libnss-ldap, or libpam-ldap, not in su, but this has to be proven first. Soon I'll be close to this. getting there... ;) G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug report?
On Mon, 2006-03-06 at 00:43 +0200, Alexander Gattin wrote: I first heard about TLS_CACERTDIR from you. What is it usually used for? Having different CA trusted by user gathered in one place? yes, you can have a number of different CA certs depending on what you are connecting to. Dropping them into a directory means the ldap tools will be able to use them (after the symbolic links have been set up). It looks like bug is in libnss-ldap, or libpam-ldap, not in su, but this has to be proven first. ok OK, so you don't use samba schemas, neither do smbldap-* tools... samba integration is on my todo list. BTW, what tools do you use for user/group account maintenance? ldapscripts? i use some perl scripts that are based on some code I found on the web and then heavily modified. Its not great but it works. Really only useful for adding and deleting, modifications are best done via a browser/editor like GQ or JXplorer (GQ is best but development is stalled, JXplorer is Java and works cross-platform) or one of the web browser based utils. GREG P.S. thanks for your help, Greg. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Bug#277767: Progress on this bug report?
On Thu, 2006-03-02 at 00:52 +0200, Alexander Gattin wrote: Hi! On Mon, Feb 27, 2006 at 07:20:45AM +0100, Christian Perrier wrote: P.S. The requred infrastructure will be ready soon. And now, one month later? And now, *two* months later? :-) Oh, yeah, now it's 2 months closer to completion ;) Actually, a lot of different and I'd say boring job found me meanwhile, but in rare free time I did some experiments. WRT the bug, I'd like to know what schemes etc. did the bug submitter use. Greg? Hi... sorry for the long silence, change of job etc... just trying to reproduce this bug and the symptoms seem to have changed, I dont get a segfault but su is still failing: with TLS_CACERTDIR: $ su - Sorry. $ with TLS_CACERT: $ su - Password: # current pkg versions on debian sarge host: libnss-ldap 238-1 libpam-ldap 178-1sarge1 wrt schemas, I assume you mean the relevant objectclasses for my user object? In this case I am using the rather restrictive account, with posixAccount and shadowAccount. The server is using the following schema files: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/locking.schema include /usr/local/etc/openldap/schema/solaris.schema include /usr/local/etc/openldap/schema/DUAConfig.schema include /usr/local/etc/openldap/schema/automount.schema include /usr/local/etc/openldap/schema/eduperson.schema but locking, solaris and eduperson are not being used. Another datapoint: if I strace the su - I do actually get prompted for a password (without strace I get an instant Sorry.), and the error su: Authentication failure G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Bug#277767: Bugs still here?
On Mon, 2005-04-18 at 22:33 +0300, Alexander Gattin wrote: Hi! On Mon, Apr 18, 2005 at 05:53:29PM +0200, Christian Perrier wrote: if you can setup LDAP authentication with TLS encryption then you should be able to reproduce it. I'm not sure that we have, in the team, someone able to build such setup. I'm happy to test fixes here. G I'll try to set LDAP auth at lab. Anyway there's a need for this/such. -- Greg Matthews iTSS Wallingford01491 692445 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: [Pkg-shadow-devel] Bug#277767: Bugs still here?
On Tue, 2005-04-19 at 11:58 +0200, Christian Perrier wrote: I'm happy to test fixes here. Thanks for the offer, Greg. Alex will try working on this bug as he mentioned. So, I'm sure he will welcome any validation offer. Would you need compiled packages of login/passwd for that, or are you in position of testing patches and rebuild the packages yourself? I'll most likely be testing on my work desktop so binary pkgs would be more likely to get tested quickly. I would have to mug up on building Debian source pkgs again. G -- Greg Matthews iTSS Wallingford01491 692445 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#302629: Fails parsing LDIF during upgrade
This appears to be an LDIF parsing problem (which is why I have submitted it to this bug number). In fact it is more subtle than that. Feel free to move this to a different bug number if necessary. The error during a dist-upgrade was: Installing new version of config file /etc/init.d/slapd ... Updating config access directives... done. Moving old database directories to /var/backups: - directory dc=lea,dc=my,dc=base... done. Loading from /var/backups/slapd-2.1.30-3: - directory dc=lea,dc=my,dc=base... slapadd: could not add entry dn=dc=my,dc=base (line=14): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) failed. dpkg: error processing slapd (--configure): subprocess post-installation script returned error exit status 1 attempting to manually slapadd the LDIF file produced: /usr/sbin/slapadd -f /etc/ldap/slapd.conf -l /var/backups/slapd-2.1.30-3/foo.ldif slapadd: could not parse entry (line=14) turning on debug info produced: /usr/sbin/slapadd -d1 -f /etc/ldap/slapd.conf -l /var/backups/slapd-2.1.30-3/foo.ldif snip backend_startup: starting dc=lea,dc=my,dc=base bdb_db_open: dbenv_open(/var/lib/ldap) = str2entry: dn: dc=my,dc=base dc: my objectClass: top objectClass: domain objectClass: nisDomainObject structuralObjectClass: domain entryUUID: 142d2f8e-52f5-1027-8b41-c022ab19fc70 creatorsName: cn=manager,dc=my,dc=base createTimestamp: 20030725140732Z nisDomain: foobar entryCSN: 2003092908:57:14Z#0x0001#0# modifiersName: cn=manager,dc=my,dc=base modifyTimestamp: 20030929085714Z dnPrettyNormal: dc=my,dc=base dnPrettyNormal: dc=my,dc=base, dc=my,dc=base str2entry: invalid value for attributeType objectClass #2 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=14) slapadd shutdown: initiated bdb_cache_release_all slapadd shutdown: freeing system resources. openldap is known for obscure error messages but I believe this is caused by trying to add data that is not within the DIT defined by the suffix. The reasons for this are outlined below. path names are not absolute for the binaries slapadd/slapcat nor for the configuration file /etc/ldap/slapd.conf. ***This has led to complete loss of data in my directory*** I have another openldap installed in /usr/local and binaries for this installation appear first in PATH. this meant that slapcat and slapadd were working on the wrong directory and so the backup kept in /var/backups/slapd-2.1.30-3 is a backup of the wrong data and my directory data is LOST! I suggest that binaries are defined explicitly as well as paths to config files eg: /usr/bin/slapcat -f /etc/ldap/slapd.conf -l /var/backups/slapd... /usr/bin/slapadd -f /etc/ldap/slapd.conf -l /var/backups/sla to prevent this happening in future. GREG hardware: Dell optiplex desktop distro: sarge kernel: 2.6.8-2-686 slapd: upgrade from 2.1.30-3 to 2.2.23 (dist-upgrade) -- Greg Matthews iTSS Wallingford01491 692445 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#277767: Bugs still here?
On Sun, 2005-04-17 at 21:42 +0200, Christian Perrier wrote: Is this bug still here ? yes Given its description, it may be hard to investigate and reproduce, so I'd prefer checking whether the bug is still here before trying to find a way, or someone, whoc can investigate. if you can setup LDAP authentication with TLS encryption then you should be able to reproduce it. GREG -- Greg Matthews iTSS Wallingford01491 692445 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]