Just to make sure, can you pull the entire HEAD? Thanks for checking, in any case. p.
I finally had the time to reproduce the issue using the cvs source code from HEAD. The following command was used to build OpenLDAP:
CPPFLAGS="-I/home/openldap/software/include -D_AVL_H" \ LDFLAGS="-L/home/openldap/software/lib -Wl,-rpath=/home/openldap/software/lib" \ ./configure --prefix=/home/openldap/software --enable-rewrite --enable-dnssrv \ --enable-ldap --enable-meta --enable-auditlog --enable-rwm --enable-sssvlv \ --with-cyrus-sasl --with-tls=openssl --enable-bdb make depend; make; make install
The necessary SSL certificates are selfsigned:
openssl genrsa -out server1.key 2048 openssl req -new -key server1.key -x509 -days 365 -out server1.crt openssl genrsa -out server2.key 2048 openssl req -new -key server2.key -x509 -days 365 -out server2.crt
"server2" was started with the command: slapd -f /home/openldap/config/slapd.conf.server2 -h "ldaps://server2:6361" At this point I could already authenticate via SASL EXTERNAL using the ldapsearch command: LDAPTLS_CACERT=server2.crt LDAPTLS_CERT=server1.crt LDAPTLS_KEY=server1.key \ ldapsearch -H "ldaps://server2:6361" -b "" -s base -Y EXTERNAL 'objectclass=*'
Now I started "server1": slapd -f /home/openldap/config/slapd.conf.server1 -h "ldap://server1:3891"
Searching with ldapsearch -H ldap://server1:3891 -b "dc=server2,dc=example,dc=com" -x gives me no result, but the following output on server1's debug log (level
1):
ldap_connect_to_host: Trying 127.0.0.1:6361 ldap_pvt_connect: fd: 9 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server2, issuer: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=server2 TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA
I think the real error is that you're using self-signed certificates; this has nothing to do with the way OpenLDAP is using them. Using certificates signed by a CA known to the servers I obtain the expected behavior.
p.
TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate). conn=1000 op=1 meta_search_dobind_init[0]: retrying URI="ldaps://server2:6361" DN="".
And again: Starting "server1" with the environment variables and everything works fine: LDAPTLS_CACERT=server2.crt LDAPTLS_CERT=server1.crt LDAPTLS_KEY=server1.key \ slapd -f /home/openldap/config/slapd.conf.server1 -h "ldap://server1:3891"
I hope you can reproduce this issue using the information I provided. The configurations of both servers are attached below.
Best Regards, Manuel
slapd.conf.server1
include /home/openldap/software/etc/openldap/schema/core.schema include /home/openldap/software/etc/openldap/schema/cosine.schema include /home/openldap/software/etc/openldap/schema/inetorgperson.schema database meta suffix "dc=example,dc=com" uri "ldaps://server2:6361/dc=server2,dc=example,dc=com" idassert-authzFrom "*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=/home/openldap/config/server1.crt tls_key=/home/openldap/config/server1.key tls_cacert=/home/openldap/config/server2.crt mode=none
slapd.conf.server2
include /home/openldap/software/etc/openldap/schema/core.schema include /home/openldap/software/etc/openldap/schema/cosine.schema include /home/openldap/software/etc/openldap/schema/inetorgperson.schema TLSCertificateFile /home/openldap/config/server2.crt TLSCertificateKeyFile /home/openldap/config/server2.key TLSCACertificateFile /home/openldap/config/server1.crt TLSVerifyClient demand database bdb suffix "dc=server2,dc=example,dc=com" rootdn "cn=manager,dc=server2,dc=example,dc=com" directory /home/openldap/db.server2
-
masarati@aero.polimi.it