[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [EXTERNAL] Re: back-ldap and ldaps not working

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: RE: [EXTERNAL] Re: back-ldap and ldaps not working
From: Jon C Kidder <jckidder@aep.com>
Date: Wed, 12 Jul 2017 17:57:51 +0000
Accept-language: en-US
Cc: "openldap-technical@OpenLDAP.org" <openldap-technical@OpenLDAP.org>
Content-language: en-US
In-reply-to: <131D1672949FEF4066965F94@[192.168.1.30]>
References: <677F33420B725A4D9E0066554451BDACE9D9679C@VMAEPHQMS001.corp.aepsc.com> <WM!909bfe074a2495f47775cf76ca559c339fce739af124170cf148add0b39e6a1b47570fbd fe5c7cd02a8b11b2dd148767!@mailstronghold-2.zmailcloud.com> <BE88F93C26C0AD98FB81992C@[192.168.1.30]> <677F33420B725A4D9E0066554451BDACE9D9695F@VMAEPHQMS001.corp.aepsc.com> <80344f05-9fa0-b182-5bc4-865ef08fcbe8@stroeder.com> <973F24F1-8A60-4EB8-B86A-1ABF480C9C19@aep.com> <3715b9e9-1b56-c042-4720-d4a13d68f2fc@stroeder.com> <WM!bd381ed02e68040c93e62b5d0546d5b1891bfbaa16e289c3d4f7fdcd4a57af6f56fba9136feeefe690cd00c5476f2462!@mailstronghold-1.zmailcloud.com> <131D1672949FEF4066965F94@[192.168.1.30]>
Thread-index: AdL3Ri4s8Xz0F5ACRIK5haKPezpt9AABRUMKAAFKrdAAKdtpAP//5FfsgABSEQCAAxyFKf/81Myw
Thread-topic: [EXTERNAL] Re: back-ldap and ldaps not working

So, following Howard's suggestion I did some testing with strace.

When back-ldap goes to make the proxy call I see an fopen for this file /appl/openldap/etc/openldap/tls/cacerts.cer  which is the file I have explicitly configured.  I then see an fopen for this file /appl/openldap/etc/openldap/tls/3a89cd48.0.  I have no idea where this file name came from.  If I copy the CA cert into this 3a89cd48.0 file or I symlink this file to my cacerts file the TLS handshake succeeds and the update is properly forwarded to the master.  No matter what I specify in my configuration the TLS handshake only succeeds if the ca cert resides in the 3a89cd48.0 file.

JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD
JCKIDDER@AEP.COM | D:614.716.4970
1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Monday, July 10, 2017 1:24 PM
To: Jon C Kidder
Cc: openldap-technical@OpenLDAP.org
Subject: Re: [EXTERNAL] Re: back-ldap and ldaps not working

--On Saturday, July 08, 2017 4:53 PM +0200 Michael Ströder <michael@stroeder.com> wrote:

> I vaguely remember there were bugs in back-ldap/back-meta ignoring TLS
> options. The work-around back then was to set env var LDAPTLS_CACERT and
> friends when starting slapd to let libldap pick up the TLS options from
> env.
>
> Should be fixed in recent releases OpenLDAP though.

Ha, one of the few times I failed to ask what version of OpenLDAP was being 
used...

Jon, what OpenLDAP release are you running?

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIFaQ&c=gMbiD-Q9WoaRgoXZKCrSug&r=WacA_KdnzU1pvF8wEQ4v1A&m=B1G6sYKZr8K4Ql49fZjlOvLWnhjo26Zg8vdiSFIRuP0&s=sNMX1JT4B7u_e7p1VtpP2G3eYVy5q5S8ZekvRuMDuNk&e= >

Follow-Ups:
- Re: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Ryan Tandy <ryan@nardis.ca>

References:
- back-ldap and ldaps not working
  - From: Jon C Kidder <jckidder@aep.com>
- Re: back-ldap and ldaps not working
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Jon C Kidder <jckidder@aep.com>
- Re: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Michael Ströder <michael@stroeder.com>
- Re: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Jon C Kidder <jckidder@aep.com>
- Re: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Michael Ströder <michael@stroeder.com>
- Re: [EXTERNAL] Re: back-ldap and ldaps not working
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: olcGlobal vs. olcFrontendConfig
Next by Date: Re: [EXTERNAL] Re: back-ldap and ldaps not working
Index(es):
- Chronological
- Thread