I can confirm this bug existed in karmic and still exists in lucid, and has gotten worse since /etc/sudo-ldap.conf is now a symbolic link to /etc/ldap/ldap.conf. Not knowing this, I tried to edit /etc/sudo-ldap.conf and change ldaps to ldap, accidentally turning off encryption for all NSS/PAM LDAP activity including passwords!
The page linked above is only partially relevant, since it deals with connection debugging with ldapsearch, which works just fine with ldaps in this case. I did the gnutls-client part and got the following:
Processed 1 CA certificate(s).
Resolving 'mail....de'...
Connecting to '172.16.6.1:636'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=DE,ST=NRW...,CN=mail....de,<email address hidden>', issuer `C=DE,ST=NRW,...,CN=....de,EMAIL=admin@...de', RSA key 2048 bits, signed using RSA-SHA, activated `2009-11-30 13:22:21 UTC', expires `2010-11-30 13:22:21 UTC', SHA-1 fingerprint `a4f903c0b1169e02172136933781cca3f5c9ca72'
- The hostname in the certificate matches 'mail....de'.
- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
I can confirm this bug existed in karmic and still exists in lucid, and has gotten worse since /etc/sudo-ldap.conf is now a symbolic link to /etc/ldap/ ldap.conf. Not knowing this, I tried to edit /etc/sudo-ldap.conf and change ldaps to ldap, accidentally turning off encryption for all NSS/PAM LDAP activity including passwords!
The page linked above is only partially relevant, since it deals with connection debugging with ldapsearch, which works just fine with ldaps in this case. I did the gnutls-client part and got the following:
Processed 1 CA certificate(s). NRW..., CN=mail. ...de,< email address hidden>', issuer `C=DE,ST= NRW,... ,CN=... .de,EMAIL= admin@. ..de', RSA key 2048 bits, signed using RSA-SHA, activated `2009-11-30 13:22:21 UTC', expires `2010-11-30 13:22:21 UTC', SHA-1 fingerprint `a4f903c0b1169e 02172136933781c ca3f5c9ca72'
Resolving 'mail....de'...
Connecting to '172.16.6.1:636'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=DE,ST=
- The hostname in the certificate matches 'mail....de'.
- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
Looks like a perfect conection, I think.