[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
** Changed in: libldap-ruby (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/381791 Title: LDAP::SSLConn from ruby fails, probably from not seeing cert To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libldap-ruby/+bug/381791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
I get the same error on my Ubuntu Hardy setup on a slicehost, however I know the gem works because when I run the exact same rails app on my local development server, it works perfectly. I realize it's been over a year since the last comment, but PLEASE let me know if you found/find a way to get this working! -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
I got some comments that this might have to do with Debian/Ubuntu linking with gnutls instead of openssl by default. I am trying to put together an openssl build right now, but that is being difficult too. Apparently openssl might be less difficult with certain certificates. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
I may misunderstand what is going on with this, but it appears there is no definition of bind specific to my SSL usage inside the sslconn.c source file given the preprocessor define symbol / state I am experiencing of USE_OPENLDAP_SSLCONN, the implication seeming to be that this version of the source file just leaves it, and presumably the internals it needs, out. Perhaps is it intentionally left broken? More likely just doesn't have some recent version of something I will see if I can find it in the version from CentOS or something. I know it works in CentOS. Still open to suggestions here. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
Given further traces I installed, it appears I get an exception in the following location right after trace 7a: fprintf(stderr,"trace 7 rb_ldap_conn_bind_s\n"); ldapdata->err = ldap_bind_s (ldapdata->ldap, dn, passwd, method); fprintf(stderr,"trace 7a rb_ldap_conn_bind_s\n"); Check_LDAP_Result (ldapdata->err); fprintf(stderr,"trace 7b rb_ldap_conn_bind_s\n"); ldapdata->bind = 1; fprintf(stderr,"trace 8 rb_ldap_conn_bind_s\n"); if (rb_block_given_p ()) -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
I just put some trace statements in all the functions with the word 'bind' in them in sslconn.c, and compiling and running that, along with some in the initializer, I show said initializer is called, but none of the 'bind' functions in that file are called. So my guess is the bind method I am using is in the conn.c file only. I don't see a special bind call in the documentation, so I appear to be using the correct ruby to do this. If there is a special sslbind, it is not in the present http://ruby-ldap.sourceforge.net/rdoc. So, I think the critical thing is the ldap software is trying to use the non sslconn bind for the sslconn state. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
> someone with a little energy could in fact get in and hack this together anyway Please feel free to do so: apt-get source libldap-ruby1.8 You might try building ruby-ldap from source separately to see if you can get it to behave the way you want, and then see what changes are needed to the deb to match. I notice the changelog in the deb says ssl is supported, but maybe it hasn't been exercised for a while. However, from a tcpdump you posted on ruby-talk, it looks that SSL *is* being negotiated - certainly the certificate is being sent from the server and there is a further back-and-forth communication before the connection is dropped. This suggests to me that ssl is working fine, but the connection is being dropped later for some other reason - maybe a failure to verify certificate as you suggested, or maybe something else. If you could hack the code to give a better result than just "Can't contact LDAP server" that would be awesome. Maybe just some fprintf(stderr, ...) entries would help pin down your specific problem. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
Okay, this is probably important to add: On the Ubuntu server machines I'm using, when I do a plain openssl call like so: openssl s_client -connect ipaddr:port where ipaddr and port are definitely correct and shown to work in all other ways with the ldap server we are trying to configure, we get data back with the following ending: SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 46AEE896A3CB7B0C0044D1169EA9672E769D7BF64194F96D8378D08D750D60AA Session-ID-ctx: Master-Key: FEADCD684F8CCEEA674C2D725D6BB5E4C1716B877C2B6B176E1C5BD0590D0CDFA28CC93BEB07548C997BD6B2FAB7009F Key-Arg : None Start Time: 1243885042 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---snip--- so a 19, and supposedly we don't have a nice cert. But the cert is there, and when I specify it thus: openssl s_client -connect ipaddr:port -CAfile $certpath I get output indicating normal access to our cert: SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 46AECE8C1C97B9CE8D0547CD2FFF0DB787B11E90A2E4387A430CBEB3996BA67C Session-ID-ctx: Master-Key: 57B5AD4C296C9B0987539FB728F6ADBC7C6A9C579F0E119E87F7B621769D738053220479ADBA5E811EB163E273D5034E Key-Arg : None Start Time: 1243888048 Timeout : 300 (sec) Verify return code: 0 (ok) snip so a zero; unixy success. So, it seems to me there is a seriously likely guess to be made here since the responses I got back are similar in wording from openssl and the LDAPpy API to ruby. I hope this helps. xc -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
Can somebody tell me here if this is perhaps intentionally made not to work? I have seen other posts that seem to indicate LDAP::SSLConn has never worked, and perhaps is intended not to work because of the implications for password guessing attacks. Excuse me if I impose my pressure and political beliefs (pointing out that the key is under the front mat) by saying that someone with a little energy could in fact get in and hack this together anyway. Perhaps the real problemthough is with the techno ninnies who in fact don't have enough intellect to do so but have enough to cause stupid amounts of trouble. At any rate, This kind of thing could be very useful, can be done I have determined from a RedHat and CentOS box, and I would think would be something you'd want to be able to do from any server given directions in automation. Perhaps this is just whining, but I think I should be able to do this easily and shops should make security around that fact, and not vice versa. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
In case this wasn't clear, the 636 port and ldap server hostname are both used in other combinations elsewhere, so we know these are correct for our testing. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
No. I had not. I just did, however, install it on my test system, and it still gets the same diagnostic: trace 5 oops, Can't contact LDAP server I was really hoping when I saw your post that you had found the problem. I wonder if there is some other combination I might have left out. It would be great if this was just a matter of my leaving out a package, or a package omitting a dependency, but people that helped me test this seemed to indicate the certificate was just not being seen. If we could know a place to put the certs where it would be seen that would fix it apparently, as the shell command openssl does the activities properly, and this only fails in the ruby package. However it would also be nice if 1) one could specify a location from the API, 2) one could see clear documentation of the proper location for the cert, 3) one could turn off the cert requirement from the API, and 4) a cert in the same directory as the script programmed was automatically seen for the purposes of testing and simple use. I highly recommen all these 4 items. If I can help I shall. Please someone recommend a next step for me to test or try. -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 381791] Re: LDAP::SSLConn from ruby fails, probably from not seeing cert
Have you tried 'apt-get install libopenssl-ruby' ? Ubuntu separates out all of the openssl-dependent parts of Ruby into a separate package (including things like net/https as well as openssl) -- LDAP::SSLConn from ruby fails, probably from not seeing cert https://bugs.launchpad.net/bugs/381791 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs