Re: [Bug 66741] Re: Long delays enumerating users
Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on launchpad but seems that there's no reference... no, wait a moment: https://bugs.launchpad.net/ubuntu/+source/libnss- ldap/+bug/241128 seems i've to use tls_checkpeer=yes, i'll do some tests. ;) No, whatever i set tls_checkpeer in /etc/ldap.conf, i *have* to set TLS_CACERT on /etc/ldap/ldap.conf to make it work. Say me if i can do something more to debug this... -- Long delays enumerating users https://bugs.launchpad.net/bugs/66741 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 66741] Re: Long delays enumerating users
Mandi! Mathias Gug In chel dì si favelave... Openldap 2.4 is compiled against gnutls which doesn't support TLS_CACERTDIR. See https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/242313. Uh, oh... this clearly solve this bug, because if TLS_CACERTDIR does not work anymore, clearly there's no certificates to 'enumerate'... ;-))) Issue 1 remain: why i've to set the 'global' /etc/ldap/ldap.conf CA certificate via TLS_CACERTDIR because the 'local' /etc/ldap.conf CA certificate via tls_cacertfile does not work? Say me if i've to open a new bug, i've searched for 'tls_cacertfile' on launchpad but seems that there's no reference... no, wait a moment: https://bugs.launchpad.net/ubuntu/+source/libnss- ldap/+bug/241128 seems i've to use tls_checkpeer=yes, i'll do some tests. ;) Make sure that you're not using self-signed certificates on the clients. No, i use a local CA built with TinyCA. -- Marco ``Gaio'' Gaiarin | LUG Pordenone(http://www.pordenone.linux.it) P.zza S. Tommaso, 20 | Lilliput BBS (http://bbs.lilliput.linux.it) Cimpello di Fiume Veneto | Azione Cattolica - Concordia-Pordenone 33080 Pordenone (Italia) | (http://www.ac.concordia-pordenone.it) Tel. +39-0434-56-1305 | http://www.gaiarin.it/ [EMAIL PROTECTED] -- Long delays enumerating users https://bugs.launchpad.net/bugs/66741 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 66741] Re: Long delays enumerating users
Still an issue (Ubuntu hardy just upgraded), but on a different way. Effectively there's no more delay 'enumerating' certificates, but still there's are some trouble or at least things that i cannot explain. For example: 1) the only way to have libnss-ldap/libpam-ldap using correct cerificate are to put it as 'TLS_CACERT /etc/ssl/certs/LNFFVG.pem' in /etc/ldap/ldap.conf (libldap 'global' config file); if i put 'tls_cacertfile /etc/ssl/certs/LNFFVG.pem' on /etc/ldap.conf, they are completely ignored. 2) seems that now setting TLS_CACERTDIR (for /etc/ldap/ldap.conf) or tls_cacertdir (for /etc/ldap.conf) does nothing, eg you have to select the certificate explicitly to make it work. Clearly my CA certificate are on place, correctly 'hashed' with c_rehash. The second problem seems a general libldap bug or misunderstanding, because if i comment out TLS_CACERT on /etc/ldap/ldap.conf also simple tools like ldapsearch stop to work. Boh. -- Long delays enumerating users https://bugs.launchpad.net/bugs/66741 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
