[Pkg-openldap-devel] Bug#512693: slapd - ldap proxy with tls enforces cert check even if disabled
Bastian Blank
waldi at debian.org
Thu Jan 22 21:12:38 UTC 2009
Package: slapd
Version: 2.4.11-1
Severity: important
I configured slapd to work as a ldap proxy. Because of some problems
with the certs of the upstream server, I decided to disable cert checks
for now.
| database ldap
| suffix "o=Example"
| uri "ldaps://jura1.example.com/"
| tls ldaps tls_reqcert=never
| protocol-version 3
One authenticated request works:
| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| # extended LDIF
| #
| # LDAPv3
| # base <o=Example> (default) with scope subtree
| # filter: cn=blank
| # requesting: ALL
[...]
| # search result
| search: 2
| result: 0 Success
|
| # numResponses: 5
The second fails:
| $ ldapsearch -h localhost -x -W "cn=blank"
| Enter LDAP Password:
| ldap_bind: Server is unavailable (52)
| additional info: Proxy operation retry failed
The slapd log shows:
| TLS: peer cert untrusted or revoked (0x42)
| send_ldap_result: conn=1 op=0 p=3
| send_ldap_result: err=52 matched="" text="Proxy operation retry failed"
| send_ldap_response: msgid=1 tag=97 err=52
This shows that the peer cert check value is somehow changed to one of
the enforce ones.
Bastian
--
Wait! You have not been prepared!
-- Mr. Atoz, "Tomorrow is Yesterday", stardate 3113.2
More information about the Pkg-openldap-devel
mailing list