Okay, I’ve been working on this for two weeks now. It’s been a purely nightmare experience, apparently Debian has changed OpenLDAP so that it is now compiled against GNUTLS. This is for reasons of questionable licensing problems, or the possibility that there may be licensing problems between the GPL (General Public Licence), and the OpenSSL license. I don’t really understand the legal crap behind it, but I think the whole thing is getting ridiculous. I mean, I’ve always been under the impression that open source software was for the good of everyone, but I think that if we have license wars going on, not because people are stealing anything even, but simply because two groups have different ideas about how things should be given away, then isn’t it kind of defeating the purpose? This particular little thing has made OpenLDAP with TLS (Transport Layer Security) an inoperable nightmare. I’m sure that there are people out there who have managed to get it to work, but I can’t find them, they don’t reply to forum posts, or answer really on mailing lists. The general consensus, at least as far as I can find, is that GNUTLS is a buggy, piece of software that, while being filled with potential is not mature or refined, or even really capable of doing this task properly. Of course, the thread about it is from February of 2008, I would imagine that some things have changed since then, but probably not a whole lot…?
So anyway, after two weeks of fighting with this, since Ubuntu is Debian based, and Hardy is the first one to get hit with this problem, I’ve been forced to give up for now. I have too much other stuff to get done. I need to step away from this for a while and look at some other alternatives. Some possibilities might be:
- Install an older Ubuntu in the virtual machine, thereby avoiding the problem for the time being…
- Install some other distro in the virtual machine to avoid the problem…
- Use the LDAP server without TLS…
- compile stuff from source code…
- Other options that I haven’t thought of yet…
None of these sound very appealing at the moment. Older versions of Ubuntu will have to be upgraded eventually, and I think one of the, many, bugs I encountered during this unfulfilled quest would still effect things even when the server was using OpenSSL, if the client had been compiled against GNUTLS… That would mean I’d need to stop using Ubuntu and other Debian derivatives altogether and that’s not a nice picture. As far as compiling from source code, If I’m going to do all that then I may as well switch over to Gentoo, I liked it a lot anyway, but I was stuck without decent Internet for a while so I switched to something that was easier to maintain.
I’ll have to look into some options on this one, but in the meantime I’m going to go ahead with the next thing I was going to do in this series which was… A local LAMP (Linux Apache MySQL PHP/Perl/Python) Server, I’ll be posting up some stuff about it in the next couple days or so, heh, meaning sometime between tomorrow and a week and a half after that. :p
PS: If your interested in getting an OpenLDAP/Samba PDC (Primary Domain Controller) up and running without TLS, or GSSAPI/Kerberos for that matter, then there is a great howto that helped me get that part, though it does very little explaining of why you do things, so you might want to spend some time reading up on stuff before following it blindly. If you travel that path then I wish you luck, I may end up doing that myself after I Finnish the rest of this server.
2 Comments
This was addressed in this was addressed in v2.6.0 by adding gnutls_x509_crt_set_subject_alt_name
I’m glad to hear this, but I wonder if it’s made it’s way into Ubuntu yet. Unfortunately I no longer have a server box to test it on. Hopefully that situation will change in February or so…
Thanks for the information though, it s good to hear