[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [EXTERNAL] Re: back-ldap and ldaps not working

To: Quanah Gibson-Mount <quanah@symas.com>, "openldap-technical@OpenLDAP.org" <openldap-technical@OpenLDAP.org>
Subject: RE: [EXTERNAL] Re: back-ldap and ldaps not working
From: Jon C Kidder <jckidder@aep.com>
Date: Fri, 7 Jul 2017 20:39:41 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <D65439EFE6413D23F7DCE481@[192.168.1.30]>
References: <677F33420B725A4D9E0066554451BDACE9D9679C@VMAEPHQMS001.corp.aepsc.com> <WM!909bfe074a2495f47775cf76ca559c339fce739af124170cf148add0b39e6a1b47570fbd fe5c7cd02a8b11b2dd148767!@mailstronghold-2.zmailcloud.com> <BE88F93C26C0AD98FB81992C@[192.168.1.30]> <677F33420B725A4D9E0066554451BDACE9D9695F@VMAEPHQMS001.corp.aepsc.com> <WM!6312ecf8b449d9a5a7a3a1cfc6ab05bc7a208903bc98cf0814b60f8073a7e89637119c249164486d38d770f7a1d851d1!@mailstronghold-2.zmailcloud.com> <D65439EFE6413D23F7DCE481@[192.168.1.30]>
Thread-index: AdL3Ri4s8Xz0F5ACRIK5haKPezpt9AABRUMKAAFKrdAAAkbuMAABIc+g
Thread-topic: [EXTERNAL] Re: back-ldap and ldaps not working

Yeah, that's actually how I started and where the starttls=no setting came from.

This .conf section

overlay					chain
chain-uri				"ldaps://ds2-q.global.aep.com"
chain-rebind-as-user	TRUE
chain-idassert-bind		bindmethod=simple binddn="cn=syncuser,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com" credentials=<redacted> mode="self"
chain-tls				ldaps tls_cacert=/appl/openldap/etc/openldap/tls/cacerts.cer
chain-return-error		TRUE

becomes this ldap backend when using slaptest

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 bdc4cf96
dn: olcDatabase={1}ldap
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {1}ldap
olcDbURI: "ldaps://ds2-q.global.aep.com"
olcDbStartTLS: ldaps  starttls=no tls_cacert="/appl/openldap/etc/openldap/tl
 s/cacerts.cer" tls_reqcert=demand tls_crlcheck=none
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bin
 dmethod=simple timeout=0 network-timeout=0 binddn="cn=syncuser,ou=automaton
 s,ou=users,dc=global,dc=aep,dc=com" credentials=<redacted> keepalive=0:0:0
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
structuralObjectClass: olcLDAPConfig
entryUUID: 7b1cc741-120e-4ce2-b539-17791a361cb1
creatorsName: cn=config
createTimestamp: 20170707202053Z
entryCSN: 20170707202053.340477Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170707202053Z

I guess it's time to start diving into the source.

-Jon

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Friday, July 07, 2017 3:45 PM
To: Jon C Kidder; openldap-technical@OpenLDAP.org
Subject: RE: [EXTERNAL] Re: back-ldap and ldaps not working

--On Friday, July 07, 2017 8:10 PM +0000 Jon C Kidder <jckidder@aep.com>
wrote:

> I've removed the starttls=no syntax and the line now reads.
>
> olcDbStartTLS: ldaps
> tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer  "
> tls_reqcert=demand tls_crlcheck=none
>
> I have verified the change propagated to the configuration directory and
> restarted the instance.   I saw no errors during configuration parsing in
> the log.  I am still seeing this error when the chain overlay tries to 
> follow the referral but no complaints when syncrepl connects.

I'm not sure how you do this with cn=config.  With slapd.conf, it would be done via using "chain-tls" and not "tls", as per the man page:

       There   are  very  few  chain  overlay  specific  directives; 
however,
       directives related to the instances of the ldap  backend  that  may be
       implicitly  instantiated  by  the  overlay may assume a special meaning
       when used in conjunction with this  overlay.   They  are  described 
in
       slapd-ldap(5), and they also need to be prefixed by chain-.

It may be worthwhile to set up a slapd.conf where "chain-tls" is specified, and see what happens with that on conversion.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwICAg&c=gMbiD-Q9WoaRgoXZKCrSug&r=WacA_KdnzU1pvF8wEQ4v1A&m=Isd4JvrQMtVM2xNyy__en7CYfuIV3MFFSw-tpnypBCk&s=w7LJkgkNTZksVYarXu-yztjBR7zuXrr87lx0VGdI-V0&e= >

References:
- back-ldap and ldaps not working
  - From: Jon C Kidder <jckidder@aep.com>
- Re: back-ldap and ldaps not working
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Jon C Kidder <jckidder@aep.com>
- RE: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: [EXTERNAL] Re: back-ldap and ldaps not working
Next by Date: RE: [EXTERNAL] Re: back-ldap and ldaps not working
Index(es):
- Chronological
- Thread