[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8022) Backend Meta does not work with ssl-backends
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8022) Backend Meta does not work with ssl-backends
- From: hyc@symas.com
- Date: Mon, 12 Jan 2015 15:13:42 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
dirk.kastens@uni-osnabrueck.de wrote:
> Full_Name: Dirk Kastens
> Version: 2.4.40
> OS: RedHat SL 7.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:638:508:3d0:579:e63b:2c0e:3a09)
>
>
> This is a duplicate of #7983
Then you should have simply followed up to #7983.
Does ldapsearch work against the target servers using the certificate
configurations you listed?
Without a reproducible test case you'll get the same response as #7983 -
no evidence of an OpenLDAP software bug, take this to the -technical
list for help fixing your configuration. Or take this to RedHat support
for help using their build of TLS software.
> I'm running an openldap server with a meta backend that combines the
> trees of three different ldap servers. Two of them are connected via
> starttls and one via ssl over port 636. This perfectly works with
> openldap-2.4.23.
> Now I have upgraded the server to RedHat SL 7.0 with openldap-2.4.39.
> The ssl server cannot be reached by the meta backend any more. I
> manually compiled openldap 2.4.40, but the effect is the same. I tried
> openssl and moznss, but this makes no difference. I only see the trees
> of the tls connected servers.
> The tls servers also speak ssl, so I simply changed the uri from "ldap:"
> to "ldaps:". The effect is, that the servers also became unreachable.
>
> Here is my configuration:
> -------------------------------
> database meta
> suffix "ou=new,dc=xyz,dc=de"
>
> uri "ldap://ldap.xyz.de/ou=a,ou=new,dc=xyz,dc=de";
> suffixmassage "ou=a,ou=new,dc=xyz,dc=de" "ou=people,dc=xyz,dc=de"
> idassert-bind bindmethod=simple binddn="cn=proxy,dc=xyz,dc=de"
> credentials="secret" mode=self
> tls_cert=/etc/openldap/certs/client.pem
> tls_key=/etc/openldap/certs/client.key
> tls_cacert=/etc/openldap/cacerts/cacerts.pem
> tls_cacertdir=/etc/openldap/cacerts
> tls_rcecert=never
> idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de"
>
> uri "ldaps://ldap.abc.de:636/ou=b,ou=new,dc=xyz,dc=de"
> suffixmassage "ou=b,ou=new,dc=xyz,dc=de" "ou=people,dc=abc,dc=de"
> idassert-bind bindmethod=simple binddn="cn=proxy,dc=abc,dc=de"
> credentials="secret" mode=self starttls=no
> tls_cert=/etc/openldap/certs/client.pem
> tls_key=/etc/openldap/certs/client.key
> tls_cacert=/etc/openldap/cacerts/cacerts.pem
> tls_cacertdir=/etc/openldap/cacerts
> tls_reqcert=never
> idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de"
> -------------------------------
>
> When I search the meta directory, I only see the ou=a branch.
> slapd logs the following:
>
> conn=1000 op=1 SRCH base="ou=new,dc=xyz,dc=de" scop3D3D1 deref=3
> filter="(objectClass=*)"
> conn=1000 op=1 SRCH attr=objectclass
> conn=1000 op=1: meta_back_getconn[0]
> conn=1000 op=1: meta_back_getconn[1]
> conn=1000 op=1 meta_back_getconn: candidates=2 conn=ROOTDN-TLS inserted
> conn=1000 op=1 >E%E> meta_back_search_start[0]
> conn=1000 op=1 >>> meta_search_dobind_init[0]
> conn=1000 op=1 <<< meta_search_dobind_init[0]=2
> conn=1000 op=1 <<< meta_back_search_start[0]=2
> conn=1000 op=1 >>> meta_back_search_start[1]
> conn=1000 op=1 >>> meta_search_dobind_init[1]
> conn=1000 op=1 <<< meta_search_dobind_init[1]=4
> conn=1000 op=1 <<< meta_back_search_start[1]=4
> conn=1000 op=1 meta_back_search: ncandidates=2 cnd="**"
> conn=1000 op=1 >>> meta_back_search_start[0]
> conn=1000 op=1 >>> meta_search_dobind_init[5D5D
> conn=1000 op=1 <<< meta_search_dobind_init[0]=1
> ...
> conn=1000 op=1 <<< meta_back_search_start[0]=1
> conn=1000 op=1 >>> meta_search_dobind_init[1]
> conn=1000 op=1 <<< meta_search_dobind_init[1]=0
> -------------------------------
>
> It seems to find both servers, but it only connects to the first one.
> With ldapsearch I only see the branch "ou=a,ou=new,dc=xyz,dc=de".
> slapd hangs and can only be terminated by "kill -4". When the first server is
> specified with ldaps, none of the servers are reachable.
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/