touch-packages team mailing list archive

[Rolf Leggewie <227744@xxxxxxxxxxxxxxxxxx>]

Hardy has seen the end of its life and is no longer receiving any
updates. Marking the Hardy task for this ticket as "Won't Fix".

** Changed in: openldap2.3 (Ubuntu Hardy)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/227744

Title:
  dapper upgrade to hardy: openldap silently refuses to start when
  unable to open SSL certificates - main: TLS init def ctx failed: -64 -
  openldap user not in ssl-cert group

Status in “openldap” package in Ubuntu:
  Won't Fix
Status in “openldap2.3” package in Ubuntu:
  Invalid
Status in “openldap” source package in Hardy:
  Invalid
Status in “openldap2.3” source package in Hardy:
  Won't Fix
Status in “openldap2.3” package in Debian:
  Confirmed

Bug description:
  We ran a slapd on Dapper for a long time, and it relied on an SSL cert
  that we made root-owned 0400 for reasons of our own internal security.
  Apache happily opens these certs as root and passes the file
  descriptor along for after it drops privilege to the www-data user.
  The default install of slapd on Hardy silently refuses to start when
  we point it at these certificates.

  On Dapper, we ran slapd as root, and things worked reasonably well.
  The Hardy upgrade reconfigured slapd to run as the "openldap" user,
  which was unable to read the certificates we have.

  The problem with this is that there was no indication in the logs or
  the init script output that this was the reason it would not start.
  Forcing us to pore through the copious output of the debug mode is a
  little unreasonable for such a straightforward error condition.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/227744/+subscriptions