Skip to Content.
Sympa Menu

en - Re: [sympa-users] Strange things on LDAP quaries...

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Marco Gaiarin <address@concealed>
  • To: "Steve Shipway" (via sympa-users Mailing List) <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-users] Strange things on LDAP quaries...
  • Date: Thu, 25 Aug 2016 22:07:23 +0200

Mandi! "Steve Shipway" (via sympa-users Mailing List)
In chel di` si favelave...

[Sorry for the double posting; i'm moving away from my address @libero.it,
and i've forgot i was subscribed with that. ]


> Your Sympa server is failing to connect to LDAP. All other things
> follow on from this.

This is clear.


> Assuming that the hostname, and bind credentials, are unchanged in the
> configuration, you may now have slightly different auth requirements
> defined on your new LDAP server. In particular, you might like to check
> the certificate being used for LDAPS - possibly it is self-signed or
> unexpectedly weak, or expired, and the connection from Sympa is being a
> bit more strict on the authentication?

No, all server share the same CA and cert is not expired.


> You can set ca_verify=none which may help (if the cert is not signed by
> a recognised CA). You may also want to check your ssl_version and
> ssl_ciphers=ALL settings in case your new LDAP server does not support
> the same or as many ciphers as the previous one -- possibly the new LDAP
> server is stricter in its requirements for connection.

Ok, some light in the dark. Effectively the updated LDAP server use newer
GNUTLS library and only TLS, no SSLv3 (or lower).

In the list web interface i've set 'ssl_version tls' (was sslv3) but then
sympa web interface bombs out with error:

[Thu Aug 25 09:26:18 2016] [warn] [client 10.5.1.14] mod_fcgid: stderr: Use
of uninitialized value $_[0] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm
line 368., referer:
http://liste.localdomain/wws/edit_list_request/lnf-sv-corsi-annunci/data_source
[Thu Aug 25 09:26:30 2016] [warn] [client 10.5.1.14] mod_fcgid: stderr: Use
of uninitialized value $_[0] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm
line 368., referer: http://liste.localdomain/wws/admin/lnf-sv-corsi-annunci
[Thu Aug 25 09:26:44 2016] [warn] [client 10.5.1.14] mod_fcgid: stderr: Use
of uninitialized value $_[0] in sprintf at /usr/lib/perl/5.14/Sys/Syslog.pm
line 368., referer:
http://liste.localdomain/wws/edit_list_request/lnf-sv-corsi-annunci/data_source
[Thu Aug 25 09:26:44 2016] [warn] [client 10.5.1.14] mod_fcgid: stderr:
invalid SSL_version specified at /usr/share/perl5/IO/Socket/SSL.pm line 332,
referer:
http://liste.localdomain/wws/edit_list_request/lnf-sv-corsi-annunci/data_source
[Thu Aug 25 09:26:44 2016] [warn] [client 10.5.1.14] mod_fcgid: stderr:
invalid SSL_version specified at /usr/share/perl5/IO/Socket/SSL.pm line 332,
referer:
http://liste.localdomain/wws/edit_list_request/lnf-sv-corsi-annunci/data_source
[Thu Aug 25 09:26:44 2016] [error] [client 10.5.1.14] Premature end of
script headers: wwsympa-wrapper.fcgi, referer:
http://liste.localdomain/wws/edit_list_request/lnf-sv-corsi-annunci/data_source

I've also tried to lower the limit on the ldap server, eg make it accept
SSLv3, but i was not able...


Thanks.

--
Ho ancora la forza di non tirarmi indietro, [...]
di far la conta degli amici andati e dire ``ci vediam piĆ¹ tardi''
(F. Guccini)





Archive powered by MHonArc 2.6.19+.

Top of Page