samba4: ldapsearch SSL/TLS problems
Marcel Ritter
Marcel.Ritter at rrze.uni-erlangen.de
Tue Jun 8 15:19:07 MDT 2010
On 06/08/2010 10:36 PM, Matthieu Patou wrote:
> So the pb is that there is no easy fix for the moment.
Replacing the samba4 ssl implementation with a simple stunnel
works fine for me (only SSL, not TLS).
Maybe that's why I got the wrong impression, that the fix should
be fairly simple :-(
> I faced only the pb with postfix, you can mostly replace ldapsearch
> with ldbsearch.
Ok - I could work around the ldapsearch problem with that, but ldap
browsers like Apache Directory Studio will fail anyway.
So I still hope for this issue to be resolved sooner or later :-)
> Outlook and a lot of other tools do not have this pb.
>
> Matthieu
Bye,
Marcel
> On 09/06/2010 00:32, Marcel Ritter wrote:
>> On 06/08/2010 10:16 PM, Matthieu Patou wrote:
>>
>>> Hi Marcel,
>>>
>> Hi Matthieu,
>>
>>> Is your pb related to bug 7218
>>> (https://bugzilla.samba.org/show_bug.cgi?id=7218) ?
>>>
>>> I have the impression that it is.
>>>
>> That's quite possible - description sounds somewhat familiar.
>>
>>> Matthieu.
>>>
>> Bye,
>> Marcel
>>
>>> On 08/06/2010 23:54, Marcel Ritter wrote:
>>>
>>>> Hi,
>>>>
>>>> quite some time ago, I reported problems with SSL/TSL connections
>>>> in samba4 - with very few replies on the list. Now I decided to
>>>> give it
>>>> one more try, and see if things have improved in the meantime.
>>>>
>>>> Unfortunately they haven't: SSL/TSL is still broken (at least on my
>>>> system: samba4 latest git, gnutls 2.4.1, ldapsearch/openldap 2.4.12,
>>>> openSUSE 11.1).
>>>>
>>>> Simple (unencrypted) ldapsearch works:
>>>> ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>>>> ldap://192.168.1.6
>>>>
>>>> Simple (encrypted, TLS/SSL) ldapsearch doesn't:
>>>> ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>>>> ldap://192.168.1.6 -Z
>>>>
>>>> < returns quite some entries (not all), but ends with:>
>>>> ldap_result: Can't contact LDAP server (-1)
>>>>
>>>> To find out where ldapsearch failed, I tried to redirect output to a
>>>> file (adding "> logfile")
>>>> to the above lines. Odd thing is: when redirected to a file I get the
>>>> whole output - no error.
>>>> (adding "| tee logfile" to the command line also makes things work
>>>> ...).
>>>>
>>>> The only reason for this I can currently think of is some kind of
>>>> timing
>>>> problem
>>>> (taking longer to write output to terminal and scroll it, than to
>>>> write
>>>> it to a file?).
>>>>
>>>> Random connection errors also occur on large, encrypted ldap searches
>>>> when using Apache Directory Studio.
>>>>
>>>> Running samba in debug mode (samba -i -M single -d 9) reports
>>>> an error everytime the SSL connection fails:
>>>>
>>>> "TLS gnutls_bye failed - Error in the push function."
>>>>
>>>> Hope someone can confirm this, and maybe provide a fix for it.
>>>>
>>>> Bye,
>>>> Marcel
>>>>
>>>>
>>>
>>>
>>
>
>
More information about the samba-technical
mailing list