I do confirm this.
And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is broken by design! Do not wonder for strange behavior, if you do not trust the core developers.
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
I have asked Howard a couple of days ago and he still stays at his opinion. I think Debian/Ubuntu should not make changes from openssl to gnutls!
For this bug:
... 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed main: TLS init failed: 0 slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
And by the way: My certs are under /ca/ldapmaster.roessner-net.com
My profile for apparmor was working under intrepid. Upgrading from intrepid to jaunty does not work.
# Last Modified: Tue Sep 2 13:08:01 2008 # Author: Jamie Strandboge <email address hidden>
#include <tunables/global> /usr/sbin/slapd flags=(complain) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/ssl_certs>
capability dac_override, capability net_bind_service, capability setgid, capability setuid,
/ca/cacert_org.crt r, /ca/ldapmaster.roessner-net.de/newcert.pem r, /ca/ldapmaster.roessner-net.de/newkey.pem r, /etc/gai.conf r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/ldap/ldap.conf r, /etc/ldap/schema/* r, /etc/ldap/slapd.conf r, /etc/sasldb2 r, /etc/ssl/private/ r, /etc/ssl/private/* r, /usr/lib/ldap/ r, /usr/lib/ldap/* mr, /usr/sbin/slapd mr, /var/lib/ldap/ r, /var/lib/ldap/* rw, /var/lib/ldap-ov/accesslog r, /var/lib/ldap-ov/accesslog/* rw, /var/lib/ldap/alock kw, /var/lib/ldap-ov/accesslog/alock kw, /var/run/slapd/* w, }
No dmesg output that points to problems.
I do confirm this.
And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is broken by design! Do not wonder for strange behavior, if you do not trust the core developers.
http:// www.openldap. org/lists/ openldap- devel/200802/ msg00072. html
I have asked Howard a couple of days ago and he still stays at his opinion. I think Debian/Ubuntu should not make changes from openssl to gnutls!
For this bug:
... 79672281. 1.13.3 (rdnMatch): 2.5.13.1 (distinguishedN ameMatch) : matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedN ameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearc hBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) erMatch) : matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifi erMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplic ationContext ) ) SET_RNDEGD_ SOCKET failed destroy: nothing to destroy.
1.2.36.
2.5.13.0 (objectIdentifi
TLS: gcry_control GCRYCTL_
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_
And by the way: My certs are under /ca/ldapmaster. roessner- net.com
My profile for apparmor was working under intrepid. Upgrading from intrepid to jaunty does not work.
# Last Modified: Tue Sep 2 13:08:01 2008
# Author: Jamie Strandboge <email address hidden>
#include <tunables/global> nameservice> ssl_certs>
/usr/sbin/slapd flags=(complain) {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
/ca/cacert_ org.crt r, r.roessner- net.de/ newcert. pem r, r.roessner- net.de/ newkey. pem r, ldap/ldap. conf r, ldap/schema/ * r, ldap/slapd. conf r, ssl/private/ * r, lib/ldap- ov/accesslog r, lib/ldap- ov/accesslog/ * rw, lib/ldap/ alock kw, lib/ldap- ov/accesslog/ alock kw,
/ca/ldapmaste
/ca/ldapmaste
/etc/gai.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/
/etc/
/etc/
/etc/sasldb2 r,
/etc/ssl/private/ r,
/etc/
/usr/lib/ldap/ r,
/usr/lib/ldap/* mr,
/usr/sbin/slapd mr,
/var/lib/ldap/ r,
/var/lib/ldap/* rw,
/var/
/var/
/var/
/var/
/var/run/slapd/* w,
}
No dmesg output that points to problems.