[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta and tls_reqcert=allow

To: Jim Vanes <jimvanes@yahoo.ca>
Subject: Re: slapd-meta and tls_reqcert=allow
From: Manuel Gaupp <mgaupp@googlemail.com>
Date: Fri, 1 Feb 2013 11:59:42 +0100
Cc: OpenLDAP <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=M2iS6YiKk0jtFxTEgSpg2boJYEl0XDFG2vFl0AxPm28=; b=1DeWEP63JuG8hZkCNSyDf9cTbGLotK0frutG0e88h5ZFWCfSYEGNZJSWb7ZP/+mAa6 ficjHQ1FFV7B/TrXxt9OspT1ftCGVY1QQTgsZtf1RTsZtf+uLIsq3kCiaCUsXTkTmsUn 1jmAItipulhSfiZdltfTW3nhE6VHRD3kDinPPK03p5QNUJFTdI9hv2ibkDowMyauyu5H IyVuUSxx7Y+DihtcKO5PNdmaw08zoPpyGKZfOqwA7UnE7e0g1V3NftGrAIaUDtnZ0e7V BXUVcf0LFE3AYTJgYN67ay4fDFcy9olvxoN8RA4HO7SrYxgoD1PUcInEBxkyQb/4um18 GC1Q==
In-reply-to: <1359653129.64756.YahooMailNeo@web162305.mail.bf1.yahoo.com>
References: <1359653129.64756.YahooMailNeo@web162305.mail.bf1.yahoo.com>

Jim Vanes <jimvanes@yahoo.ca> wrote:

> I'm using OpenLDAP 2.4.23-26 from Centos 6. I seem to be hitting a configuration issue regarding slapd-meta and SSL/TLS.
> 
> Here is my meta config:
> 
> database        meta
> suffix          "dc=virtual,dc=local"
> rootdn          "cn=root,dc=virtual,dc=local"
> rootpw          password
> 
> # Local
> uri             ldap://localhost/dc=ds1,dc=virtual,dc=local
> suffixmassage   "dc=ds1,dc=virtual,dc=local" "dc=lab,dc=local"
> idassert-bind   bindmethod=simple binddn="cn=root,dc=lab,dc=local" credentials=password
> 
> #Remote AD server
> uri ldap://10.33.63.125:389/dc=ad1,dc=virtual,dc=local
> tls start
> suffixmassage "dc=ad1,dc=virtual,dc=local" "dc=mslab,dc=local"
> idassert-bind bindmethod=simple binddn="CN=Sync,CN=Users,DC=lab,DC=local" credentials="Password1" starttls="yes" tls_reqcert="allow"
> 
> It seems as though  tls_reqcert="allow" is ignored for the remote AD server.  If set that variable in the ldap.conf everything works fine.  But shouldn't the above function as an override to the default of 'demand'?  The behaviour is the same when I change the above to use SSL instead.

I think you're running into an issue that I reported in September 2010.
See http://www.openldap.org/lists/openldap-technical/201009/msg00073.html and http://www.openldap.org/its/index.cgi?findid=6642

According to the Release Change Log, this issue should have been fixed in release 2.4.24. So you should definitely update to a more recent release.

Best regards,
Manuel

Follow-Ups:
- Re: slapd-meta and tls_reqcert=allow
  - From: Jim Vanes <jimvanes@yahoo.ca>

Next by Date: Re: Duplicate attributeType: "2.5.4.35"
Index(es):
- Chronological
- Thread