From: espeake@oreillyauto.com To: openldap-technical@openldap.org Date: 09/23/2013 10:27 AM Subject: Wrong certificate being presented Sent by: openldap-technical-bounces@OpenLDAP.org
The authentication works on the single server we have which is running an older version of openLDAP (2.4.21). In my packet captures it appears that the older version of openLDAP is presenting the certificate we want it to present. The new version (2.4.31), although it has the same cert installed in the same place it is presenting an older self signed cert that has been removed. The new servers have been rebooted since this change so where could this possibly be cached at?
This is from my slapcat of the new servers.
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzPolicy: any olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 ldap://tntest-ldap-3.example.com olcServerID: 2 ldap://tntest-ldap-1.example.com olcServerID: 3 ldap://tntest-ldap-2.example.com olcThreads: 8 olcTLSCACertificateFile: /etc/ldap/gd_bundle.crt olcTLSCertificateFile: /etc/ldap/wildcard.example.com.crt olcTLSCertificateKeyFile: /etc/ldap/wildcard.example.com.key olcToolThreads: 1 structuralObjectClass: olcGlobal creatorsName: cn=config entryUUID: 91cc0ae0-9e13-1032-84b5-0151b658a842 createTimestamp: 20130820183919Z olcLogLevel: config acl stats conns olcTLSCipherSuite: NORMAL olcTLSCRLCheck: none olcTLSVerifyClient: never entryCSN: 20130923150907.574575Z#000000#001#000000 modifiersName: uid=admin,dc=oreillyauto,dc=com modifyTimestamp: 20130923150907Z contextCSN: 20130923150907.574575Z#000000#001#000000 contextCSN: 20130923150843.855673Z#000000#002#000000 contextCSN: 20130919185322.242639Z#000000#003#000000
I tried doing an ldapmodify and delete the olcTLSCipherSuite and olcTLSCRLCheck that I added and they will not disappear. Thanks Eric Speake Web Systems Administrator O'Reilly Auto Parts
The old certificates had been renamed adding .orig to the end. I deleted those and now the certificates are being presented properly.
Thank you, Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 9E11060097D.AE15A
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.