[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
** Changed in: php5 (Ubuntu) Status: Incomplete = Confirmed -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
I can confirm this issue for both Apache2 with the authnz_ldap module and php5-ldap running on Ubuntu Hardy x64. I've tested against both a dapper server running slapd and a hardy server running slapd. The problem seems worse when the ldap server is also running under Hardy. The failed logins are inconsistent, and when Apache fails it gives a 500 error, php5-ldap seems to just connect and immediately disconnect from ldap and fail to authenticate. The only solution we've found is to install stunnel4 as a client and send requests to ldap on the localhost and have stunnel convert them to ldaps on the remote host. I have noticed that in Hardy slapd is now using gnutls instead of openssl, could this be related? Does anyone know if php5-ldap is calling the local ldap client to make the connection? Does it error because it is using an openldap client to talk to a gnutls server? Has anyone figured out a more appropriate fix? -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
I was finally able to capture an strace of slapd with the error happening (apache auth_ldap failing the starttls): Captured with the following command: strace /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 255 See attached text file (large part of certificate dump removed). ** Attachment added: strace and debug 255 output of slapd with failed client starttls http://launchpadlibrarian.net/16377707/strace_slapd_starttls_failed -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
From hardy? -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
I think I was able to reproduce this, but the start_tls errors were intermittent. I'm testing on an P3 448MHz, and initially had the error quite frequently. I then updated all the packages on the system and the error became less frequent. I also updated the slapd indexes to match our production system. After updating the indexs using slapindex, it was much harder to recreate the error. For me it only seemed to happen when slapd was under heavy load, and only with php5-ldap I also tested with python-ldap and didn't see the error. Additionally I kept Apache configured with authnz-ldap during my tests. I ran slapd from console using: sudo slapd -u openldap -g openldap -f /etc/ldap/slapd -d -1 and didn't see any errors between when an start_tls error occurred and when one didn't. Can you post your indexes from /etc/ldap/slapd.conf? Thanks, Adam -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
I have turned off authnz-ldap apache authentication for the specific site and that seems to do the trick ... of course now all my pages are out in the open but at least the scripts run with startTLS ... so it seems to be a combination of starttls with apache authnz-ldap config and the php script itself using starttls ... -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
** Changed in: php5 (Ubuntu) Status: New = Incomplete -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 240387] Re: php5-ldap TLS (start_tls) quirks
This might be due to openldap quirks can you enable hardy-proposed and test out the new openldap version there? Thanks chuck -- php5-ldap TLS (start_tls) quirks https://bugs.launchpad.net/bugs/240387 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs