[Date Prev][Date Next] [Chronological] [Thread] [Top]

{resolved}Re: Wrong certificate being presented

To: espeake@oreillyauto.com
Subject: {resolved}Re: Wrong certificate being presented
From: espeake@oreillyauto.com
Date: Mon, 23 Sep 2013 12:31:19 -0500
Cc: openldap-technical-bounces@openldap.org, openldap-technical@openldap.org
In-reply-to: <OF48AFDE0B.DD61BFF7-ON86257BEF.005426AA-86257BEF.0054A5C5@LocalDomain>
References: <OF48AFDE0B.DD61BFF7-ON86257BEF.005426AA-86257BEF.0054A5C5@LocalDomain>

From:	espeake@oreillyauto.com
To:	openldap-technical@openldap.org
Date:	09/23/2013 10:27 AM
Subject:	Wrong certificate being presented
Sent by:	openldap-technical-bounces@OpenLDAP.org

The authentication works on the single server we have which is running an
older version of openLDAP (2.4.21).  In my packet captures it appears that
the older version of openLDAP is presenting the certificate we want it to
present.  The new version (2.4.31), although it has the same cert installed
in the same place it is presenting an older self signed cert that has been
removed.  The new servers have been rebooted since this change so where
could this possibly be cached at?

This is from my slapcat of the new servers.

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzPolicy: any
olcPidFile: /var/run/slapd/slapd.pid
olcServerID: 1 ldap://tntest-ldap-3.example.com
olcServerID: 2 ldap://tntest-ldap-1.example.com
olcServerID: 3 ldap://tntest-ldap-2.example.com
olcThreads: 8
olcTLSCACertificateFile: /etc/ldap/gd_bundle.crt
olcTLSCertificateFile: /etc/ldap/wildcard.example.com.crt
olcTLSCertificateKeyFile: /etc/ldap/wildcard.example.com.key
olcToolThreads: 1
structuralObjectClass: olcGlobal
creatorsName: cn=config
entryUUID: 91cc0ae0-9e13-1032-84b5-0151b658a842
createTimestamp: 20130820183919Z
olcLogLevel: config acl stats conns
olcTLSCipherSuite: NORMAL
olcTLSCRLCheck: none
olcTLSVerifyClient: never
entryCSN: 20130923150907.574575Z#000000#001#000000
modifiersName: uid=admin,dc=oreillyauto,dc=com
modifyTimestamp: 20130923150907Z
contextCSN: 20130923150907.574575Z#000000#001#000000
contextCSN: 20130923150843.855673Z#000000#002#000000
contextCSN: 20130919185322.242639Z#000000#003#000000

I tried doing an ldapmodify and delete the olcTLSCipherSuite and
olcTLSCRLCheck that I added and they will not disappear.
Thanks
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts

The old certificates had been renamed adding .orig to the end.  I deleted
those and now the certificates are being presented properly.

Thank you,
Eric

This communication and any attachments are confidential, protected by
Communications Privacy Act 18 USCS § 2510, solely for the use of the
intended recipient, and may contain legally privileged material. If you are
not the intended recipient, please return or destroy it immediately. Thank
you.

--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
  Message id: 9E11060097D.AE15A

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

References:
- Wrong certificate being presented
  - From: espeake@oreillyauto.com

Prev by Date: Access being denied.
Next by Date: OpenLdap 2.4.28 accesslogs
Index(es):
- Chronological
- Thread