[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL altNames [was: SSL certificates, kerberos keytabs, and load balancing]

On Tue, 13 Apr 2004, Medievalist wrote:

> Damnation!  Thanks Kirk, you just saved me a small headache that was scheduled 
> for next week.

Glad to hear it.

> Hmmm... looking at the bug reports, isn't this another side effect of Red Hat 
> shipping an obsolete, known-to-be-buggy OpenLDAP package?  P'raps nss_ldap is 
> using the OpenLDAP libraries and inheriting the bug?

I encountered the problem first hand *after* having upgraded the
OpenLDAP libraries on an nss_ldap box to OL 2.1.25. Also, I would
expect a client problem with certificates to be due to bad OpenSSL,
not OpenLDAP, libs.

Of course...

% ldd /usr/lib/libnss_ldap.so
        libdl.so.2 => /lib/libdl.so.2 (0x401f1000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x401f5000)
        libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

...it appears that the stock RH9 nss_ldap is not using shared
OpenLDAP *or* OpenSSL libs, so a rebuild of nss_ldap from the source
RPM after upgrading both may fix things.

Kirk Turner-Rustin
Information Systems
Ohio Wesleyan University