Ubuntu
openldap package

  1. Bug #420277
  2. Comment #3

Comment 3 for bug 420277

Revision history for this message
Christian Roessner (christian-roessner-net) wrote :

I do confirm this.

And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is broken by design! Do not wonder for strange behavior, if you do not trust the core developers.

http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

I have asked Howard a couple of days ago and he still stays at his opinion. I think Debian/Ubuntu should not make changes from openssl to gnutls!

For this bug:

...
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

And by the way: My certs are under /ca/ldapmaster.roessner-net.com

My profile for apparmor was working under intrepid. Upgrading from intrepid to jaunty does not work.

# Last Modified: Tue Sep 2 13:08:01 2008
# Author: Jamie Strandboge <email address hidden>

#include <tunables/global>
/usr/sbin/slapd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  /ca/cacert_org.crt r,
  /ca/ldapmaster.roessner-net.de/newcert.pem r,
  /ca/ldapmaster.roessner-net.de/newkey.pem r,
  /etc/gai.conf r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/ldap/ldap.conf r,
  /etc/ldap/schema/* r,
  /etc/ldap/slapd.conf r,
  /etc/sasldb2 r,
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,
  /usr/lib/ldap/ r,
  /usr/lib/ldap/* mr,
  /usr/sbin/slapd mr,
  /var/lib/ldap/ r,
  /var/lib/ldap/* rw,
  /var/lib/ldap-ov/accesslog r,
  /var/lib/ldap-ov/accesslog/* rw,
  /var/lib/ldap/alock kw,
  /var/lib/ldap-ov/accesslog/alock kw,
  /var/run/slapd/* w,
}

No dmesg output that points to problems.