Bug 859582
Summary: | openldap server ignores certificate when moznss cert/key db exists | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | dave | ||||
Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.3 | CC: | dave, jsynacek, tsmetana | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-09-24 09:00:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Sorry, I missed this bug when cloning this issue from Fedora. The real cause is described here: https://bugzilla.redhat.com/show_bug.cgi?id=859858 *** This bug has been marked as a duplicate of bug 859858 *** |
Created attachment 615685 [details] Full text output of the installation and configuration of an openldap server, a detailed description of the problem, and details of how to work around it Description of problem: Openldap server will ignore openssl certificates and keys if a mozilla/nss cert/key db exists in /etc/openldap/certs. When installing and configuring openldap for the first time, if you attempt to use certificate files as opposed to certificates that are managed in a mozilla/nss cert/key db, upon establishing an ssl/tls connection to the server, the openldap server will ignore these files and attempt to open the moznss cert/key db anyway. Version-Release number of selected component (if applicable): openldap-servers-2.4.23-26.el6_3.2.i686 on RHEL 6.3 How reproducible: every time Steps to Reproduce: (this is a summary. The full steps I took to set up the openldap server, reproduce the problem, and work around it are attached). 1. install openldap-servers 2. basic server configuration: - configure suffix - set olcrootpw for cn=manager - set olcTLSCertificateFile, olcTLSCertificateKeyFile, olcTLSCACertificateFile 3. restart server. 4. openssl s_client -connect localhost:636 -showcerts Actual results: # openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) *nothing more appears -- the server hangs here* Expected results: # openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.org verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.org [snip, snip] Additional info: How to work around (yes this is not the 'Right Thing To Do'(tm) but it demonstrates the problem): 1. cd /etc/openldap/certs 2. mv cert8.db key3.db /tmp/ 3. service slapd restart