touch-packages team mailing list archive

Thread
Date

[Bug 1537762] Re: syncrepl does not work when using tls

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ryan Tandy <1537762@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Jan 2016 02:26:59 -0000
Reply-to: Bug 1537762 <1537762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Ian,

I found https://stathers.net/2016/01/14/thawte-premium-ssl-
md5-gnutls.html but it would be surprising if that broke syncrepl but
not ldapsearch. Still, worth checking if you haven't already.
(ldapsearch and syncrepl are using the same CA certificate, right?)

Is there any interesting output if you run the consumer slapd at a
higher debug level?

Separate from slapd, are gnutls-serv/gnutls-cli able to communicate
using the same certificates?

** Changed in: openldap (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1537762

Title:
  syncrepl does not work when using tls

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  
  syncrepl gives a "slap_client_connect: URI=ldap://ldaphost.domain.com Error, ldap_start_tls failed (-11)" error

  syncrepl was working perfectly until I upgraded libgnutls26 from

  version 2.12.14-5ubuntu3.10

  to

  version 2.12.14-5ubuntu3.11

  This new version of gnutls just seems to only have a simple fix for
  CVE-2015-7575

  ldapsearch works perfectly happily with the new version of gnutls and
  our SSL certificate.

  My syncrepl config looks like this:

  syncrepl        rid=222
                  provider=ldap://ldaphost.domain.com
                  starttls=critical
                  type=refreshAndPersist
                  retry=60,+
                  searchbase="dc=ccc,dc=sssssss,dc=aa,dc=uu"
                  scope=sub
                  schemachecking=off
                  bindmethod=simple
                  binddn="cn=uuuuuu,dc=ccc,dc=sssss,dc=aa,dc=uu"
                  credentials=XXXXXXXX

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: slapd 2.4.28-1.1ubuntu4.6
  ProcVersionSignature: Ubuntu 3.2.0-97.137-generic 3.2.73
  Uname: Linux 3.2.0-97-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.13
  Architecture: amd64
  Date: Mon Jan 25 13:33:26 2016
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
  MarkForUpload: True
  SourcePackage: openldap
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.slapd: 2012-10-02T10:07:38

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1537762/+subscriptions

References

[Bug 1537762] [NEW] syncrepl does not work when using tls
From: Ian Gordon, 2016-01-25