Improved description of permissions for openldap using TLS

Bug #437483 reported by PeterNSteinmetz on 2009-09-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Undecided
Adam Sommer

Bug Description

Binary package hint: ubuntu-docs

With the use of GNUtls users often encounter an error of the form "main: TLS init def ctx failed: -1" without further explanation (which was available with openssl). Witness for example https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/420277

To help avoid this, I've update the notes on the network authentication page regarding the use of certificates and items to check, revno 354 of ubuntu-doc.

Related branches

Matthew East (mdke) wrote :

Peter, I take it from your last sentence that you've made a suggested fix for this - could you make it available somewhere either as a patch or a bzr branch?

tags: added: serverguide
PeterNSteinmetz (ndoc2) wrote :

Yes, indeed. I guess I'm not familiar enough with bazaar version control. I obtained a copy of the docs, modified and performed a commit with a message, giving me rev # 354. But I take it that must not propagate the change.

I was trying to follow the instructions in the bugs playbook at:
https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation?action=AttachFile&do=view&target=BugsPlaybook.pdf

but the command 'bzr diff > diffname.txt' near the end didn't give anything.

Subsequently, I've generated a differences file using 'bzr diff -r 353 > changes.txt', which seems to contain the differences, and I attach here.

Please let me know if there was some other more proper way of accomplishing this.

Matthew East (mdke) wrote :

Peter,

The patch has worked fine. Thanks for that. I'll leave it to Adam to review.

Changed in ubuntu-docs (Ubuntu):
assignee: nobody → Adam Sommer (asommer)
Adam Sommer (asommer) wrote :

Thanks Peter and Matthew. I've applied the patch to revision 358.

Thanks again,
Adam

Changed in ubuntu-docs (Ubuntu):
status: New → Fix Committed
MatthiasK (mkubik) wrote :

Hi,

the description doesn't apply to my setup as I'm not using a self-signed certificate but rahter an official one (cacert.org). Anything else that I'm missing?

Thanks in advance.
Matthias

PeterNSteinmetz (ndoc2) wrote :

Sorry to hear that is still trouble. I've been slowly working on the patch to provide better error reporting when using GNUtls, but it will be a while.

With an official cert, you will need all 3 of the olcTLSxxx parameters set. Assuming that is in line, I would be sure the group has read permissions on the certs and key and read and execute on the directories containing them.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 9.10.8

---------------
ubuntu-docs (9.10.8) karmic; urgency=low

  * General:
    - Refresh pot files
  * hardware.xml:
    - Update jockey instructions to reflect UI changes from some time ago (LP: #281143)
    - Remove link to deprecated section in accessibility guide (LP: #293842)
  * internet.xml:
    - Network manager network list no longer has radio buttons, Dean Sas
  * keeping-safe.xml:
    - Update firewall section, Connor Imes / bodhi.zazen (LP: #377039)
  * usb-creator.xml:
    - Add manual for usb-creator, new document by Augustina Blair
  * serverguide.xml:
    - Add additional information for configuring TLS with OpenLDAP and gnutls, PeterNSteinmetz (LP: #437483)

 -- Matthew East <email address hidden> Sun, 27 Sep 2009 17:26:16 +0100

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers