[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth

To: openldap-its@OpenLDAP.org
Subject: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
From: subbarao@computer.org
Date: Wed, 17 Nov 2010 01:19:43 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Kartik Subbarao
Version: 2.4.23
OS: Debian Linux 5.0.5
URL: ftp://ftp.openldap.org/incoming/kartik_subbarao.101116.tgz
Submission from: (NULL) (76.99.175.5)


I'm trying to get a consumer server to forward ppolicy-related updates to its
provider server, and to use certificate-based authentication (SASL EXTERNAL)
over STARTTLS when authenticating to the provider.

I'm running into multiple problems here. The core problem seems to be that
enabling ppolicy_forward_updates breaks the chaining overlay such that it binds
anonymously instead of with SASL EXTERNAL. Another problem is that bind
operations to the consumer server start to return two result messages -- one
with the error code of the chained operation, and one with the error code of the
bind operation.

To simplify reproducing the problem, I've worked with test022-ppolicy in the
openldap test framework. Here, I ran into another issue. I can't seem to be able
to configure sasl external/starttls chaining properly with the cn=config style
configuration that test022-ppolicy applies. The self-signed cert that I'm using
works fine with replication, but it doesn't seem to work with chaining. This may
or may not be another issue that needs to be resolved.

In any case, with the attached files in the ITS, I hope that what I'm trying to
do and the results that I'm getting should be as clear as possible.

Prev by Date: Re: (ITS#6703) Patch - Mozilla NSS - reject non-file key and cert files
Next by Date: (ITS#6712) dont-use-copy/syncrepl/chain hasSubordinates extra vals
Index(es):
- Chronological
- Thread