FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-29-2010, 06:01 PM
"John A. Sullivan III"
 
Default Unintended cert mapping happening

Hello, all. We are experiencing a weird problem and have not been able
to fix it. We have just renamed the top level of our tree from
dc=old,dc=biz to dc=new,dc=com. All went very well (well, very well
until we also changed the certificates and keys to be from the new
Certificate Authority - but we have that sorted now, too) except one
remaining error.

Our Zimbra (6.0.5) mail server authenticates users against our CentOS
8.1 Directory Server. It is working but, every time a user tries to
authenticate, we generate an error:

slapi_search_internal ("CN=zimbra.new.com, OU=MailServers, DC=new, DC=com", subtree, objectclass=*) err 32

and in the access log we see:
conn=174 SSL 128-bit RC4; client CN=zimbra.new.com,OU=MailServers,DC=new,DC=com; issuer CN=newca.new.com,OU=PKI,DC=new,DC=com
conn=173 SSL failed to map client certificate to LDAP DN (No such object)

We then see the directory search user (we do not allow anonymous access)
correctly bind and authenticate.

It is as if the directory server is accidentally trying to do cert
mapping and authenticate the mail server whenever it tries to establish
an ldaps connection. As far as I understand, one needs to tell
Directory Server to do this by adding a usercertificate attribute to the
user we want to authenticate via X.509 cert. I've searched the entire
database dump and nothing has that attribute. certmap.conf has been
unchanged and is all commented out except for:
certmap default default

What is causing this and how do I fix it?

Our migration procedure was to stop dirsrv, dump the userRoot and
NetscapeRoot databases, make all the substitutions via sed in dse.ldif
(and .bak and .startOK), make all the substitutions via sed in the
database dumps, and then import the revised ldif files. Thanks - John

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-29-2010, 07:30 PM
Rich Megginson
 
Default Unintended cert mapping happening

John A. Sullivan III wrote:
> Hello, all. We are experiencing a weird problem and have not been able
> to fix it. We have just renamed the top level of our tree from
> dc=old,dc=biz to dc=new,dc=com. All went very well (well, very well
> until we also changed the certificates and keys to be from the new
> Certificate Authority - but we have that sorted now, too) except one
> remaining error.
>
> Our Zimbra (6.0.5) mail server authenticates users against our CentOS
> 8.1 Directory Server. It is working but, every time a user tries to
> authenticate, we generate an error:
>
> slapi_search_internal ("CN=zimbra.new.com, OU=MailServers, DC=new, DC=com", subtree, objectclass=*) err 32
>
> and in the access log we see:
> conn=174 SSL 128-bit RC4; client CN=zimbra.new.com,OU=MailServers,DC=new,DC=com; issuer CN=newca.new.com,OU=PKI,DC=new,DC=com
> conn=173 SSL failed to map client certificate to LDAP DN (No such object)
>
> We then see the directory search user (we do not allow anonymous access)
> correctly bind and authenticate.
>
> It is as if the directory server is accidentally trying to do cert
> mapping and authenticate the mail server whenever it tries to establish
> an ldaps connection. As far as I understand, one needs to tell
> Directory Server to do this by adding a usercertificate attribute to the
> user we want to authenticate via X.509 cert. I've searched the entire
> database dump and nothing has that attribute. certmap.conf has been
> unchanged and is all commented out except for:
> certmap default default
>
> What is causing this and how do I fix it?
>
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_SSL-Starting_the_Server_with_SSL_Enabled.html#Starting _the_Server_with_SSL_Enabled-Enabling_SSL_Only_in_the_DS
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_SSL-Using_Certificate_Based_Authentication.html#client auth
and
http://directory.fedoraproject.org/wiki/Howto:CertMapping
> Our migration procedure was to stop dirsrv, dump the userRoot and
> NetscapeRoot databases, make all the substitutions via sed in dse.ldif
> (and .bak and .startOK), make all the substitutions via sed in the
> database dumps, and then import the revised ldif files. Thanks - John
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org