Package: libnss-ldap Version: 251-5.1 Severity: normal
Hi, libnss-ldap seems to ignore the tls_cacertfile option in libnss-ldap.conf. More specifically, if /etc/ldap/ldap.conf is empty and tls_cacertfile is only set in libnss-ldap.conf, then TLS negotiation with the LDAP server fails. The strace output of "getent passwd foo" contains the following line where normally the CA certificate should have been opened: open(NULL, O_RDONLY) = -1 EFAULT (Bad address) If the TLS_CACERT option is set in /etc/ldap/ldap.conf, then everything works fine, and instead of the above open(NULL) there is the opening of the CA certificate, as expected. In fact, if TLS_CACERT is set in /etc/ldap/ldap.conf, then the value of tls_cacertfile in libnss-ldap.conf seems to be ignored. Looking at the strace output, libnss-ldap.conf is parsed before /etc/ldap/ldap.conf. Is it possible that the parsing of /etc/ldap/ldap.conf resets the TLS options configured in libnss-ldap.conf? Gabor -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.17libata Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libnss-ldap depends on: ii debconf [debconf-2.0] 1.5.4 Debian configuration management sy ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libkrb53 1.4.4-1 MIT Kerberos runtime libraries ii libldap2 2.1.30-13+b1 OpenLDAP libraries Versions of packages libnss-ldap recommends: ii libpam-ldap 180-1.1 Pluggable Authentication Module al ii nscd 2.3.6.ds1-4 GNU C Library: Name Service Cache -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
