[Touch-packages] [Bug 1564179] Re: 389-ds-base linked to NSS and GnuTLS, replication fails

Tue, 19 Apr 2016 02:03:13 -0700 

This bug was fixed in the package 389-ds-base - 1.3.4.9-1

---------------
389-ds-base (1.3.4.9-1) unstable; urgency=medium

  * New upstream release.
  * support-non-nss-libldap.diff: Support libldap built against gnutls.
    (LP: #1564179)

 -- Timo Aaltonen <tjaal...@debian.org>  Mon, 18 Apr 2016 18:08:14 +0300

** Changed in: 389-ds-base (Ubuntu)
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1564179

Title:
  389-ds-base linked to NSS and GnuTLS, replication fails

Status in 389-ds-base package in Ubuntu:
  Fix Released
Status in openldap package in Ubuntu:
  New
Status in openldap package in Debian:
  New

Bug description:
  The ns-slapd binary is currently linked to two separate SSL libraries,
  NSS for server connections, and gnutls for client connections via
  openldap:

  r...@ldap.example.com:~/src/openldap-2.4.31# ldd /usr/sbin/ns-slapd
          libnss3.so => /usr/lib/x86_64-linux-gnu/libnss3.so
  (0x00007f0e14e60000)
          libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26
  (0x00007f0e12def000)

  Because 389ds's replication plugin passes parameters that are only
  understandable by NSS to the gnutls library, all attempts to replicate
  over SSL fails as follows:

  [30/Mar/2016:17:19:19 +0000] setup_ol_tls_conn - failed: unable to create
  new TLS context
  [30/Mar/2016:17:19:19 +0000] slapi_ldap_bind - Error: could not configure
  the server for cert auth - error -1 - make sure the server is correctly
  configured for SSL/TLS
  [30/Mar/2016:17:19:19 +0000] NSMMReplicationPlugin - agmt="cn=Agreement
  ldap.example.com" (ldap:636): Replication bind with EXTERNAL auth failed:
  LDAP error 0 (Success) ()

  These messages are caused by NSS certificate nicknames being
  interpreted by gnutls as filesystem paths, triggering failures.

  To fix this, 389ds needs to be linked against an LDAP client library
  that is also linked to NSS.

  Right now 389ds cannot be used on Trusty at all in any kind of
  meaningful way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1564179/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to