[email protected] wrote: > Full_Name: Dirk Kastens > Version: 2.4.40 > OS: RedHat SL 7.0 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:638:508:3d0:579:e63b:2c0e:3a09) > > > This is a duplicate of #7983
Then you should have simply followed up to #7983. Does ldapsearch work against the target servers using the certificate configurations you listed? Without a reproducible test case you'll get the same response as #7983 - no evidence of an OpenLDAP software bug, take this to the -technical list for help fixing your configuration. Or take this to RedHat support for help using their build of TLS software. > I'm running an openldap server with a meta backend that combines the > trees of three different ldap servers. Two of them are connected via > starttls and one via ssl over port 636. This perfectly works with > openldap-2.4.23. > Now I have upgraded the server to RedHat SL 7.0 with openldap-2.4.39. > The ssl server cannot be reached by the meta backend any more. I > manually compiled openldap 2.4.40, but the effect is the same. I tried > openssl and moznss, but this makes no difference. I only see the trees > of the tls connected servers. > The tls servers also speak ssl, so I simply changed the uri from "ldap:" > to "ldaps:". The effect is, that the servers also became unreachable. > > Here is my configuration: > ------------------------------- > database meta > suffix "ou=new,dc=xyz,dc=de" > > uri "ldap://ldap.xyz.de/ou=a,ou=new,dc=xyz,dc=de"; > suffixmassage "ou=a,ou=new,dc=xyz,dc=de" "ou=people,dc=xyz,dc=de" > idassert-bind bindmethod=simple binddn="cn=proxy,dc=xyz,dc=de" > credentials="secret" mode=self > tls_cert=/etc/openldap/certs/client.pem > tls_key=/etc/openldap/certs/client.key > tls_cacert=/etc/openldap/cacerts/cacerts.pem > tls_cacertdir=/etc/openldap/cacerts > tls_rcecert=never > idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de" > > uri "ldaps://ldap.abc.de:636/ou=b,ou=new,dc=xyz,dc=de" > suffixmassage "ou=b,ou=new,dc=xyz,dc=de" "ou=people,dc=abc,dc=de" > idassert-bind bindmethod=simple binddn="cn=proxy,dc=abc,dc=de" > credentials="secret" mode=self starttls=no > tls_cert=/etc/openldap/certs/client.pem > tls_key=/etc/openldap/certs/client.key > tls_cacert=/etc/openldap/cacerts/cacerts.pem > tls_cacertdir=/etc/openldap/cacerts > tls_reqcert=never > idassert-authzFrom "dn.exact:cn=root,ou=new,dc=xyz,dc=de" > ------------------------------- > > When I search the meta directory, I only see the ou=a branch. > slapd logs the following: > > conn=1000 op=1 SRCH base="ou=new,dc=xyz,dc=de" scop3D3D1 deref=3 > filter="(objectClass=*)" > conn=1000 op=1 SRCH attr=objectclass > conn=1000 op=1: meta_back_getconn[0] > conn=1000 op=1: meta_back_getconn[1] > conn=1000 op=1 meta_back_getconn: candidates=2 conn=ROOTDN-TLS inserted > conn=1000 op=1 >E%E> meta_back_search_start[0] > conn=1000 op=1 >>> meta_search_dobind_init[0] > conn=1000 op=1 <<< meta_search_dobind_init[0]=2 > conn=1000 op=1 <<< meta_back_search_start[0]=2 > conn=1000 op=1 >>> meta_back_search_start[1] > conn=1000 op=1 >>> meta_search_dobind_init[1] > conn=1000 op=1 <<< meta_search_dobind_init[1]=4 > conn=1000 op=1 <<< meta_back_search_start[1]=4 > conn=1000 op=1 meta_back_search: ncandidates=2 cnd="**" > conn=1000 op=1 >>> meta_back_search_start[0] > conn=1000 op=1 >>> meta_search_dobind_init[5D5D > conn=1000 op=1 <<< meta_search_dobind_init[0]=1 > ... > conn=1000 op=1 <<< meta_back_search_start[0]=1 > conn=1000 op=1 >>> meta_search_dobind_init[1] > conn=1000 op=1 <<< meta_search_dobind_init[1]=0 > ------------------------------- > > It seems to find both servers, but it only connects to the first one. > With ldapsearch I only see the branch "ou=a,ou=new,dc=xyz,dc=de". > slapd hangs and can only be terminated by "kill -4". When the first server is > specified with ldaps, none of the servers are reachable. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
