samba4: ldapsearch SSL/TLS problems

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Tue Jun 8 15:19:07 MDT 2010 

On 06/08/2010 10:36 PM, Matthieu Patou wrote:
> So the pb is that there is no easy fix for the moment.
Replacing the samba4 ssl implementation with a simple stunnel
works fine for me (only SSL, not TLS).
Maybe that's why I got the wrong impression, that the fix should
be fairly simple :-(
> I faced only the pb with postfix, you can mostly replace ldapsearch
> with ldbsearch.
Ok - I could work around the ldapsearch problem with that, but ldap
browsers like Apache Directory Studio will fail anyway.

So I still hope for this issue to be resolved sooner or later :-)
> Outlook and a lot of other tools do not have this pb.
>
> Matthieu
Bye,
   Marcel
> On 09/06/2010 00:32, Marcel Ritter wrote:
>> On 06/08/2010 10:16 PM, Matthieu Patou wrote:
>>   
>>> Hi Marcel,
>>>      
>> Hi Matthieu,
>>   
>>> Is your pb related to bug 7218
>>> (https://bugzilla.samba.org/show_bug.cgi?id=7218) ?
>>>
>>> I have the impression that it is.
>>>      
>> That's quite possible - description sounds somewhat familiar.
>>   
>>> Matthieu.
>>>      
>> Bye,
>>     Marcel
>>   
>>> On 08/06/2010 23:54, Marcel Ritter wrote:
>>>     
>>>> Hi,
>>>>
>>>> quite some time ago, I reported problems with SSL/TSL connections
>>>> in samba4 - with very few replies on the list. Now I decided to
>>>> give it
>>>> one more try, and see if things have improved in the meantime.
>>>>
>>>> Unfortunately they haven't: SSL/TSL is still broken (at least on my
>>>> system: samba4 latest git, gnutls 2.4.1, ldapsearch/openldap 2.4.12,
>>>> openSUSE 11.1).
>>>>
>>>> Simple (unencrypted) ldapsearch works:
>>>>      ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>>>> ldap://192.168.1.6
>>>>
>>>> Simple (encrypted, TLS/SSL) ldapsearch doesn't:
>>>>       ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>>>> ldap://192.168.1.6 -Z
>>>>
>>>>       <   returns quite some entries (not all), but ends with:>
>>>>       ldap_result: Can't contact LDAP server (-1)
>>>>
>>>> To find out where ldapsearch failed, I tried to redirect output to a
>>>> file (adding ">   logfile")
>>>> to the above lines. Odd thing is: when redirected to a file I get the
>>>> whole output - no error.
>>>> (adding "| tee logfile" to the command line also makes things work
>>>> ...).
>>>>
>>>> The only reason for this I can currently think of is some kind of
>>>> timing
>>>> problem
>>>> (taking longer to write output to terminal and scroll it, than to
>>>> write
>>>> it to a file?).
>>>>
>>>> Random connection errors also occur on large, encrypted ldap searches
>>>> when using Apache Directory Studio.
>>>>
>>>> Running samba in debug mode (samba -i -M single -d 9) reports
>>>> an error everytime the SSL connection fails:
>>>>
>>>> "TLS gnutls_bye failed - Error in the push function."
>>>>
>>>> Hope someone can confirm this, and maybe provide a fix for it.
>>>>
>>>> Bye,
>>>>      Marcel
>>>>
>>>>        
>>>
>>>      
>>    
>
>

More information about the samba-technical mailing list