[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap ssl with translucent proxy

Title: Openldap ssl with translucent proxy

Hi all,

I'm trying to configure a ldap server proxy with overlay translucent, in this way I can add group's to users on the default Ldap Server.
Everything is ok until I try to use the SSL:

Ldap Server (solaris)<----(389 ldap)---> My Openladap proxy <------(389 ldap)---> Client (everything ok)

When I try to use certificates and secure Ldap, I have a problem:

Ldap Server (solaris)<----(389 ldap)---> My Openladap proxy <------(636 ldaps)---> Client (still ok)

But I have no success when I try to configure the 636 ldaps between main Ldap server (on solaris) and my openldap proxy :( the answer is "No such user".

My slapd.conf on my openldap proxy:

database        bdb
suffix          "dc=mycompany,dc=pt"
rootdn          "cn=Admin,dc=mycompany,dc=pt"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw {SSHA}blablabla

overlay    translucent
#uri         ldaps://solaris_ldap_server02:636
uri         ldaps://solaris_ldap_server01:636
#uri         ldap://solaris_ldap_server01
#uri         ldap://solaris_ldap_server02

So, if I use the "uri ldap://solaris_ldap_server01" everything is ok and wonderful but if I want something more secure like "uri ldaps://solaris_ldap_server01:636" I got a "No such user" grrrrrr.

The beautifull part is that I have all certificates and I can use wiht success the ldapsearch (636 ldaps) against the solaris_ldap_server from my openldap proxy and/or from my linux client, like:
ldapsearch -H ldaps://solaris_ldap_server01:636 -x -b "dc=mycompany,dc=pt"

And if I configure a Linux client to connect directly to Solaris Server on port 636 ldaps (without my proxy), everything is ok and no problem.

When I put a tcpdump running on my Ldap Proxy the Solaris server answer with a "TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)" but this is bull sheet, I have the correct certificate other way I was not able to do search querys.

The big question is, why the "overlay translucent" (proxy) does not work on secure mode? what I'm doing wrong?