[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7993) proxyauth with saslmech EXTERNAL not working

dkastens@uos.de wrote:
> Full_Name: Dirk Kastens
> Version: 2.4.39
> OS: RedHat SL 6.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:638:508:3d0:12a:32c6:740c:8971)
>
>
> We installed an ldap cluster with a mirrored master and several replicas on
> RedHat SL 6.5 with openldap 2.4.23-34.el6_5.1.x86_64. Write requests to the
> replicas are referred to the master server. The chain overlay follows the
> referral. It connects with the saslmech EXTERNAL to the master. The master maps
> the DN of the certificate to the replica admin. The replica admin has its
> authzTo attribute set to the write admin. This way the writing perfectly worked
> on our replica servers for all admins that are listed in the authzTo attribute.
> Shortly the machines were updated to SL 6.6 with openldap 2.4.39-8.el6.x86_64.
> The proxyauth stopped working. Write requests to the replica servers end with
> the error
> "ldap_modify: Other (e.g., implementationpepecific) error (80)".

Without debug output from slapd there's no evidence of an OpenLDAP 
software bug here. Most likely the TLS library changed between your two 
versions and you're missing a TLS option now.

Regardless, you're using a Red Hat build which contains their own 
unknown patches to the code. The OpenLDAP Project cannot support these 
builds since we don't know exactly what they are, but they are known to 
break OpenLDAP functionality on a routine basis. e.g. 
https://bugzilla.redhat.com/show_bug.cgi?id=1095976

Ask Red Hat for support on their build. Closing this ITS.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/