[Date Prev][Date Next]
Re: (ITS#7993) proxyauth with saslmech EXTERNAL not working
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7993) proxyauth with saslmech EXTERNAL not working
- From: firstname.lastname@example.org
- Date: Fri, 05 Dec 2014 13:28:05 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Dirk Kastens
> Version: 2.4.39
> OS: RedHat SL 6.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:638:508:3d0:12a:32c6:740c:8971)
> We installed an ldap cluster with a mirrored master and several replicas on
> RedHat SL 6.5 with openldap 2.4.23-34.el6_5.1.x86_64. Write requests to the
> replicas are referred to the master server. The chain overlay follows the
> referral. It connects with the saslmech EXTERNAL to the master. The master maps
> the DN of the certificate to the replica admin. The replica admin has its
> authzTo attribute set to the write admin. This way the writing perfectly worked
> on our replica servers for all admins that are listed in the authzTo attribute.
> Shortly the machines were updated to SL 6.6 with openldap 2.4.39-8.el6.x86_64.
> The proxyauth stopped working. Write requests to the replica servers end with
> the error
> "ldap_modify: Other (e.g., implementationpepecific) error (80)".
Without debug output from slapd there's no evidence of an OpenLDAP
software bug here. Most likely the TLS library changed between your two
versions and you're missing a TLS option now.
Regardless, you're using a Red Hat build which contains their own
unknown patches to the code. The OpenLDAP Project cannot support these
builds since we don't know exactly what they are, but they are known to
break OpenLDAP functionality on a routine basis. e.g.
Ask Red Hat for support on their build. Closing this ITS.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/