Hello
I'm trying to get multiple syncrepl-powered replicas
available under the
same DNS name. I use OpenLDAP-2.3.32
Each replica has a certificate with
subjectAltName=DNS:ldap.example.net,DNS:host.example.net
Clients can hapily conntect to it, that part works.
syncrepl is working with the provider using a certificate,
but now I'd
like the consumers to use certificate too, so that the
provider does not push
sensitive data to anyone that pretend being a replica.
After two days of fight against the machine, I discovered
that I could not
use a different certificate for the syncrepl consumer and
the LDAP service
running on the replica. This is a bug in 2.3.x, as explained
by Howard Chu:
http://www.openldap.org/lists/openldap-softw
are/200604/msg00202.html
http://www.openldap.org/lists/openldap-softw
are/200604/msg00201.html
So I have to use the same certificate. I could live with
that, but it does
not work: I add this to the syncrepl statement on the
consumers' slapd.conf
bindmethod=sasl
saslmech=EXTERNAL
And when restarting it, I get this error:
do_syncrep1: rid 217 ldap_sasl_interactive_bind_s failed (7)
I tried to use my certificate with ldapsearch. With an
appropriate .ldaprc,
I can try this (the server here is the provider):
# ldapsearch -b "" -s base +
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Authentication method not
supported (7)
additional info: SASL(-4): no mechanism available:
Using a certificate that does not have subjectAltName, it
works fine, so
the provider is not rejecting me.
Here are my certificates Subjects, the one without
subjectAltName that works,
and the other one that breaks (obtained by openssl x509
-text, a bit
modified, but you have the point: yes there are ISO-8859-1
chars in O)
WORKS:
C=FR, ST=France, O=Exemple d'organisation accentuée,
OU=foobarbuz,
CN=host.example.net/emailAddress=root example.net
BREAKS:
C=FR, ST=France, O=Exemple d'organisation accentuée,
OU=foobarbuz/subjectAltName=DNS:ldap.example.net,DNS:host.e
xample.net
CN=ldap.example.net/emailAddress=rootexample.net
Playing with gdb shows that the server rejects the
certificate in
libraries/libldap_r/utf-8.c:ldap_ucs_to_utf8s(), returning
LDAP_INVALID_SYNTAX
I searched the web, and it seems that ISO-8859-1 chars in
certificate
subjects are not a good idea. Changing that means also
changing the
certificate authority, that's something I'd like to avoid.
Do I have
another solution?
That kind of problem has been discussed already on the
mailing list. It
seems Howard Chu added ldap_ucs_to_utf8s() to address non
UTF-8
chars in certificates subjects:
http://www.openldap.org/lists/openldap-devel/20
0205/msg00037.html
ldap_ucs_to_utf8s() contains really black magic, it would
require one
more day for me to understand what happens there. Is it
possible that
it is smart enough to workaround non UTF-8 chars in the
general case,
but fails when subjectAltName is used?
Please help! How can I get this mess working?
--
Emmanuel Dreyfus
manunetbsd.org
|
