[Samba] Re: Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages

Paul Coray paul.coray at unibas.ch
Wed Mar 23 14:29:22 GMT 2005


Thanks for your quick response!

>  >
>  > Package: slapd
>  > Version: 2.2.20-1.hrz.1
>  >
>  > Package: libldap2.2
>  > Version: 2.2.20-1.hrz.1
>  >
>  > Package: ldap-utils
>  > Version: 2.2.20-1.hrz.1
> Where are those available? I did not know about that fork and perhaps I
> can share some work with the maintainer.

Sorry, as the Packages file at ftp://ftp.uni-marburg.de/linux/debian 
mentions your name as maintainer, I thought you made those, but I'm glad 
you are willing to deal with them anyway :-)

>  > smbd:
>  > 
> /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468: 
>  > ldap_int_sasl_open: Assertio
>  > n `lc->lconn_sasl_ctx == ((void *)0)' failed.
> This is a known bug in the Debian packages. Have a look at
>     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273620
> If you can reproduce it we might be able to track it down finally.

Not so easy, as this happened only twice in the morning when the load 
from user authenticating, maybe also changing attributes (passwords) was 
high. Difficult to simulate this in a testing environment...

>  > Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I
>  > have the ldap libraries linked to 2.2?
> Yes. It will use the 2.1.30 libraries as they are incompatible with
> 2.2.x
>  > And, why does this go away as soon as I stop slurpd on the master and
>  > slapd on the slave?
> No idea.
>  > This is critical to us, as this is the first major step migrating ~200
>  > users away from NT-desktops to Linux thin clients, and I don't want to
>  > give them something to argue against OSS...
> My guess how to fix this: Get the openldap2 sources from the Debian
> package and build it against OpenSSL. I can make packages available if
> you can't build them.
> You should change debian/changelog so that apt can differentiate between
> the official and your packages and debian/configure.options so it uses
> OpenSSL. Ah, and remove gnutls from Build-Depends in debian/control and
> add libssl-dev. Make sure no gnutls dev package is installed as the
> configure script had a bug to use it even if you'd rather use OpenSSL.

Hmm... Ok, I'll give it a shot. Problem though is, this is a productive 
server as from last monday. In my testing environment, the mentioned 
packages worked flawlessly, so this HAS to work, once I use it in 
production, or my users might get upset, if you know what I mean... ;-)

Anyway, if you have those packages from the Debian openldap2 sources 
handy, I would gladly test them.


Paul Coray
Administrator Server und Netzwerk

Oeffentliche Bibliothek der Universitaet Basel
Schoenbeinstrasse 18-20
CH-4056 Basel

Tel: +41 61 267 05 13
Fax: +41 61 267 31 03

mailto:paul.coray at unibas.ch

More information about the samba mailing list