[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#387467: marked as done (libnss-ldap: "tls_cacertfile" is being ignored)

Your message dated Wed, 16 Nov 2022 01:20:11 +0000
with message-id <E1ov763-0016tp-7a@fasolo.debian.org>
and subject line Bug#1024140: Removed package(s) from unstable
has caused the Debian Bug report #387467,
regarding libnss-ldap: "tls_cacertfile" is being ignored
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
387467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=387467
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libnss-ldap
Version: 251-5.1
Severity: normal


Hi,

libnss-ldap seems to ignore the tls_cacertfile option in
libnss-ldap.conf. More specifically, if /etc/ldap/ldap.conf is empty and
tls_cacertfile is only set in libnss-ldap.conf, then TLS negotiation
with the LDAP server fails. The strace output of "getent passwd foo"
contains the following line where normally the CA certificate should
have been opened:

open(NULL, O_RDONLY)                    = -1 EFAULT (Bad address)

If the TLS_CACERT option is set in /etc/ldap/ldap.conf, then everything
works fine, and instead of the above open(NULL) there is the opening of
the CA certificate, as expected. In fact, if TLS_CACERT is set in
/etc/ldap/ldap.conf, then the value of tls_cacertfile in
libnss-ldap.conf seems to be ignored.

Looking at the strace output, libnss-ldap.conf is parsed before
/etc/ldap/ldap.conf. Is it possible that the parsing of
/etc/ldap/ldap.conf resets the TLS options configured in
libnss-ldap.conf?

Gabor

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17libata
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]       1.5.4        Debian configuration management sy
ii  libc6                       2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libkrb53                    1.4.4-1      MIT Kerberos runtime libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                  180-1.1     Pluggable Authentication Module al
ii  nscd                         2.3.6.ds1-4 GNU C Library: Name Service Cache 

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Version: 265-6+rm

Dear submitter,

as the package libnss-ldap has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1024140

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---
Reply to: