dirk.kastens@uni-osnabrueck.de wrote:
Full_Name: Dirk Kastens Version: 2.4.40 OS: RedHat SL 7.0 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:638:508:3d0:579:e63b:2c0e:3a09)
This is a duplicate of #7983
Then you should have simply followed up to #7983.
Does ldapsearch work against the target servers using the certificate configurations you listed?
Without a reproducible test case you'll get the same response as #7983 - no evidence of an OpenLDAP software bug, take this to the -technical list for help fixing your configuration. Or take this to RedHat support for help using their build of TLS software.
I'm running an openldap server with a meta backend that combines the trees of three different ldap servers. Two of them are connected via starttls and one via ssl over port 636. This perfectly works with openldap-2.4.23. Now I have upgraded the server to RedHat SL 7.0 with openldap-2.4.39. The ssl server cannot be reached by the meta backend any more. I manually compiled openldap 2.4.40, but the effect is the same. I tried openssl and moznss, but this makes no difference. I only see the trees of the tls connected servers. The tls servers also speak ssl, so I simply changed the uri from "ldap:" to "ldaps:". The effect is, that the servers also became unreachable.
Here is my configuration:
database meta suffix "ou=new,dc=xyz,dc=de"
uri "ldap://ldap.xyz.de/ou=a,ou=new,dc=xyz,dc=de" suffixmassage "ou=a,ou=new,dc=xyz,dc=de" "ou=people,dc=xyz,dc=de" idassert-bind bindmethod=simple binddn="cn=proxy,dc=xyz,dc=de" credentials="secret" mode=self tls_cert=/etc/openldap/certs/client.pem tls_key=/etc/openldap/certs/client.key tls_cacert=/etc/openldap/cacerts/cacerts.pem tls_cacertdir=/etc/openldap/cacerts tls_rcecert=never idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de"
uri "ldaps://ldap.abc.de:636/ou=b,ou=new,dc=xyz,dc=de" suffixmassage "ou=b,ou=new,dc=xyz,dc=de" "ou=people,dc=abc,dc=de" idassert-bind bindmethod=simple binddn="cn=proxy,dc=abc,dc=de" credentials="secret" mode=self starttls=no tls_cert=/etc/openldap/certs/client.pem tls_key=/etc/openldap/certs/client.key tls_cacert=/etc/openldap/cacerts/cacerts.pem tls_cacertdir=/etc/openldap/cacerts tls_reqcert=never idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de"
When I search the meta directory, I only see the ou=a branch. slapd logs the following:
conn=1000 op=1 SRCH base="ou=new,dc=xyz,dc=de" scop3D3D1 deref=3 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=objectclass conn=1000 op=1: meta_back_getconn[0] conn=1000 op=1: meta_back_getconn[1] conn=1000 op=1 meta_back_getconn: candidates=2 conn=ROOTDN-TLS inserted conn=1000 op=1 >E%E> meta_back_search_start[0] conn=1000 op=1 >>> meta_search_dobind_init[0] conn=1000 op=1 <<< meta_search_dobind_init[0]=2 conn=1000 op=1 <<< meta_back_search_start[0]=2 conn=1000 op=1 >>> meta_back_search_start[1] conn=1000 op=1 >>> meta_search_dobind_init[1] conn=1000 op=1 <<< meta_search_dobind_init[1]=4 conn=1000 op=1 <<< meta_back_search_start[1]=4 conn=1000 op=1 meta_back_search: ncandidates=2 cnd="**" conn=1000 op=1 >>> meta_back_search_start[0] conn=1000 op=1 >>> meta_search_dobind_init[5D5D conn=1000 op=1 <<< meta_search_dobind_init[0]=1 ... conn=1000 op=1 <<< meta_back_search_start[0]=1 conn=1000 op=1 >>> meta_search_dobind_init[1] conn=1000 op=1 <<< meta_search_dobind_init[1]=0
It seems to find both servers, but it only connects to the first one. With ldapsearch I only see the branch "ou=a,ou=new,dc=xyz,dc=de". slapd hangs and can only be terminated by "kill -4". When the first server is specified with ldaps, none of the servers are reachable.