[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5995) slapo-chain TLS issues



Full_Name: Chad Richards
Version: 2.4.15
OS: CentOS 5.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (12.178.116.129)


overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://XXX";
chain-rebind-as-user TRUE
chain-idassert-bind
    bindmethod="simple"
    binddn="cn=Manager,dc=XXX,dc=com"
    credentials="secret"
    mode="self"
    starttls=critical
    tls_reqcert=never
    tls_cacertdir=/etc/openldap/cacerts
chain-tls start
chain-return-error TRUE


slapo-chain and TLS work fine connecting to the slave with LUMA, I can do
password updates and everything is fine. At first TLS slapo-chain wouldn't work
in LUMA until I added starttls=critical inside chain-idassert-bind

Now the problem I'm having is that I cannot do a passwd as root or an ldap user
from the shell prompt.

ldap.conf
ssl start_tls
tls_reqcert never
tls_checkpeer no
tls_cacertdir /etc/openldap/cacerts

Master log file when slapo-chain runs
---------------
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(18): got connid=6
connection_read(18): checking for input on id=6
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
connection_read(18): TLS accept failure error=-1 id=6, closing
connection_close: conn=6 sd=18


Slave log file when slapo-chain runs
-----------------
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=US/ST=XX/O=XX/OU=XX/CN=XX/emailAddress=XX, issuer:
/C=US/ST=XX/O=XX/OU=XX/CN=XX/emailAddress=XX
TLS certificate verification: Error, self signed certificate in certificate
chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.


I had the same problem with LUMA and that problem went away when I put the
starttls=critical in the chain-idassert-bind

my ldap.conf works fine for everything else but just dies on passwd with TLS
errors with slapo-chain.

Any ideas?

Thanks!