[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6642) back-meta idassert with SASL EXTERNAL ignoring parameters



> I've just tested this scenario using the back-meta sources (and
> slap.h,sl_malloc.c) from HEAD. I also tried to add "tls start" to the
> back-meta configuration.

Not sure why you need those...

> Unfortunately, the problem still persists. (But the workaround,
> setting LDAPTLS_..., still works)
>
> When I look at the debug outputs (at debug level 1), the first
> difference is in the SSL_connect messages. Only my workaround method
> is sending the "write certificate verify" to authenticate with the
> certificate, whereas it doesn't send this message without the
> workaround.

Can I see the entire configuration of both sides?  (minus passwords and
so, of course).  Is the client using TLS?  I'll re-check later, but I
could use TLS-based EXTERNAL auth with both back-ldap and back-meta with
and without setting "tls start".

Just to make sure, can you pull the entire HEAD?  Thanks for checking, in
any case.  p.

> The Output from the "good" request (with workaround) is
> -----------------------------------------------------------------------------------------
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server key exchange A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write certificate verify A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_int_sasl_open: host=localhost
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> -----------------------------------------------------------------------------------------
>
> The output from the request without the workaround:
> -----------------------------------------------------------------------------------------
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server key exchange A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_int_sasl_open: host=localhost
> ldap_free_connection 1 1
> ldap_send_unbind
> ber_flush2: 7 bytes to sd 15
> TLS trace: SSL3 alert write:warning:close notify
> ldap_free_connection: actually freed
> -----------------------------------------------------------------------------------------
>
> Regards,
> Manuel
>
>
>