Bug 859582 - openldap server ignores certificate when moznss cert/key db exists
openldap server ignores certificate when moznss cert/key db exists
Status: CLOSED DUPLICATE of bug 859858
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.3
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Vcelak
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-22 00:52 EDT by dave
Modified: 2013-03-03 20:30 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-24 05:00:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Full text output of the installation and configuration of an openldap server, a detailed description of the problem, and details of how to work around it (20.31 KB, text/plain)
2012-09-22 00:52 EDT, dave
no flags Details

  None (edit)
Description dave 2012-09-22 00:52:48 EDT
Created attachment 615685 [details]
Full text output of the installation and configuration of an openldap server, a detailed description of the problem, and details of how to work around it

Description of problem:

Openldap server will ignore openssl certificates and keys if a mozilla/nss cert/key db exists in /etc/openldap/certs.

When installing and configuring openldap for the first time, if you attempt to use certificate files as opposed to certificates that are managed in a mozilla/nss cert/key db, upon establishing an ssl/tls connection to the server, the openldap server will ignore these files and attempt to open the moznss cert/key db anyway.

Version-Release number of selected component (if applicable):

openldap-servers-2.4.23-26.el6_3.2.i686 on RHEL 6.3

How reproducible:
every time

Steps to Reproduce:
(this is a summary.  The full steps I took to set up the openldap server, reproduce the problem, and work around it are attached).

1. install openldap-servers
2. basic server configuration:
 - configure suffix
 - set olcrootpw for cn=manager
 - set olcTLSCertificateFile, olcTLSCertificateKeyFile, olcTLSCACertificateFile
3. restart server.
4. openssl s_client -connect localhost:636 -showcerts


Actual results:
# openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
*nothing more appears -- the server hangs here*

Expected results:
# openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = centos6.example.org
[snip, snip]

Additional info:
How to work around (yes this is not the 'Right Thing To Do'(tm) but it demonstrates the problem):
1. cd /etc/openldap/certs
2. mv cert8.db key3.db /tmp/
3. service slapd restart
Comment 2 Jan Vcelak 2012-09-24 05:00:41 EDT
Sorry, I missed this bug when cloning this issue from Fedora. The real cause is described here: https://bugzilla.redhat.com/show_bug.cgi?id=859858

*** This bug has been marked as a duplicate of bug 859858 ***

Note You need to log in before you can comment on or make changes to this bug.