Improved description of permissions for openldap using TLS

Bug #437483 reported by PeterNSteinmetz on 2009-09-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Adam Sommer

Bug Description

Binary package hint: ubuntu-docs

With the use of GNUtls users often encounter an error of the form "main: TLS init def ctx failed: -1" without further explanation (which was available with openssl). Witness for example

To help avoid this, I've update the notes on the network authentication page regarding the use of certificates and items to check, revno 354 of ubuntu-doc.

Related branches

Matthew East (mdke) wrote :

Peter, I take it from your last sentence that you've made a suggested fix for this - could you make it available somewhere either as a patch or a bzr branch?

tags: added: serverguide
PeterNSteinmetz (ndoc2) wrote :

Yes, indeed. I guess I'm not familiar enough with bazaar version control. I obtained a copy of the docs, modified and performed a commit with a message, giving me rev # 354. But I take it that must not propagate the change.

I was trying to follow the instructions in the bugs playbook at:

but the command 'bzr diff > diffname.txt' near the end didn't give anything.

Subsequently, I've generated a differences file using 'bzr diff -r 353 > changes.txt', which seems to contain the differences, and I attach here.

Please let me know if there was some other more proper way of accomplishing this.

Matthew East (mdke) wrote :


The patch has worked fine. Thanks for that. I'll leave it to Adam to review.

Changed in ubuntu-docs (Ubuntu):
assignee: nobody → Adam Sommer (asommer)
Adam Sommer (asommer) wrote :

Thanks Peter and Matthew. I've applied the patch to revision 358.

Thanks again,

Changed in ubuntu-docs (Ubuntu):
status: New → Fix Committed
MatthiasK (mkubik) wrote :


the description doesn't apply to my setup as I'm not using a self-signed certificate but rahter an official one ( Anything else that I'm missing?

Thanks in advance.

PeterNSteinmetz (ndoc2) wrote :

Sorry to hear that is still trouble. I've been slowly working on the patch to provide better error reporting when using GNUtls, but it will be a while.

With an official cert, you will need all 3 of the olcTLSxxx parameters set. Assuming that is in line, I would be sure the group has read permissions on the certs and key and read and execute on the directories containing them.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 9.10.8

ubuntu-docs (9.10.8) karmic; urgency=low

  * General:
    - Refresh pot files
  * hardware.xml:
    - Update jockey instructions to reflect UI changes from some time ago (LP: #281143)
    - Remove link to deprecated section in accessibility guide (LP: #293842)
  * internet.xml:
    - Network manager network list no longer has radio buttons, Dean Sas
  * keeping-safe.xml:
    - Update firewall section, Connor Imes / bodhi.zazen (LP: #377039)
  * usb-creator.xml:
    - Add manual for usb-creator, new document by Augustina Blair
  * serverguide.xml:
    - Add additional information for configuring TLS with OpenLDAP and gnutls, PeterNSteinmetz (LP: #437483)

 -- Matthew East <email address hidden> Sun, 27 Sep 2009 17:26:16 +0100

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers