Full_Name: Chad Richards Version: 2.4.15 OS: CentOS 5.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (12.178.116.129)
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://XXX" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Manager,dc=XXX,dc=com" credentials="secret" mode="self" starttls=critical tls_reqcert=never tls_cacertdir=/etc/openldap/cacerts chain-tls start chain-return-error TRUE
slapo-chain and TLS work fine connecting to the slave with LUMA, I can do password updates and everything is fine. At first TLS slapo-chain wouldn't work in LUMA until I added starttls=critical inside chain-idassert-bind
Now the problem I'm having is that I cannot do a passwd as root or an ldap user from the shell prompt.
ldap.conf ssl start_tls tls_reqcert never tls_checkpeer no tls_cacertdir /etc/openldap/cacerts
Master log file when slapo-chain runs --------------- TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(18): got connid=6 connection_read(18): checking for input on id=6 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. connection_read(18): TLS accept failure error=-1 id=6, closing connection_close: conn=6 sd=18
Slave log file when slapo-chain runs ----------------- TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=XX/O=XX/OU=XX/CN=XX/emailAddress=XX, issuer: /C=US/ST=XX/O=XX/OU=XX/CN=XX/emailAddress=XX TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
I had the same problem with LUMA and that problem went away when I put the starttls=critical in the chain-idassert-bind
my ldap.conf works fine for everything else but just dies on passwd with TLS errors with slapo-chain.
Any ideas?
Thanks!