> I've just tested this scenario using the back-meta sources (and > slap.h,sl_malloc.c) from HEAD. I also tried to add "tls start" to the > back-meta configuration.
Not sure why you need those... > Unfortunately, the problem still persists. (But the workaround, > setting LDAPTLS_..., still works) > > When I look at the debug outputs (at debug level 1), the first > difference is in the SSL_connect messages. Only my workaround method > is sending the "write certificate verify" to authenticate with the > certificate, whereas it doesn't send this message without the > workaround. Can I see the entire configuration of both sides? (minus passwords and so, of course). Is the client using TLS? I'll re-check later, but I could use TLS-based EXTERNAL auth with both back-ldap and back-meta with and without setting "tls start". Just to make sure, can you pull the entire HEAD? Thanks for checking, in any case. p. > The Output from the "good" request (with workaround) is > ----------------------------------------------------------------------------------------- > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server key exchange A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write certificate verify A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > ldap_int_sasl_open: host=localhost > ldap_sasl_bind_s > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ----------------------------------------------------------------------------------------- > > The output from the request without the workaround: > ----------------------------------------------------------------------------------------- > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server key exchange A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > ldap_int_sasl_open: host=localhost > ldap_free_connection 1 1 > ldap_send_unbind > ber_flush2: 7 bytes to sd 15 > TLS trace: SSL3 alert write:warning:close notify > ldap_free_connection: actually freed > ----------------------------------------------------------------------------------------- > > Regards, > Manuel > > >
