[Pkg-openldap-devel] Bug#478883: Bug#478883: I have the same bug

Steve Langasek vorlon at debian.org
Mon Jul 14 16:40:40 UTC 2008


On Mon, Jul 14, 2008 at 05:56:52PM +0200, Michael Kiefer wrote:
> With lenny both as server and client, I get the same bug here. The first thing 
> that I discovered not working was syncrepl between two servers. Then I 
> noticed that ldapsearch also is not working:

So, can you provide the requested slapd.conf from the server so that I can
try to reproduce and debug this?

> When I run ldapsearch on the server, accessing the pipe with
> ldapsearch -ZZ -H ldapi://%2fvar%2frun%2fldapi/ -d-1 -Y EXTERNAL
> I get the following output
> (only the last few lines, when the error occurs)
> 	tls_write: want=139 error=Broken pipe
> 	TLS: can't connect: Error in the push function..
> 	ldap_err2string
> 	ldap_start_tls: Connect error (-11)

Hum, I wouldn't expect this to work because you're using an ldapi url, and
TLS negotiation is based on hostnames.  Has this ever worked with previous
versions?

> When I run ldapsearch on the server or on the client, accessing via
> ldapsearch -H ldaps://cresstsrv2.mppmu.mpg.de -d-1 -Y EXTERNAL
> the result is sometimes
> 	tls_write: want=6 error=Broken pipe
> 	TLS: can't connect: Error in the push function..
> 	ldap_err2string
> 	ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

This at least appears to be the same error message as the original bug
submitter.

> This is true for debian lenny and Ubuntu 8.04. When trying with an Ubuntu 7.10 
> client, the message is 

> 	TLS trace: SSL_connect:SSLv3 flush data
> 	tls_read: want=5, got=0

> 	TLS trace: SSL_connect:failed in SSLv3 read finished A
> 	TLS: can't connect.
> 	ldap_perror
> 	ldap_start_tls: Can't contact LDAP server (-1)

The bug report you're following up to is about a failure to connect from
ldap-utils.  Ubuntu 7.10 doesn't ship ldap-utils 2.4.7; if you're having a
*general* problem connecting to your server from all TLS-based clients, then
I think you have a configuration problem, not a bug in ldap-utils.  (I don't
think this is a server bug either, because the TLS support has been tested
to work already in a variety of configurations.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org





More information about the Pkg-openldap-devel mailing list