Unintended cert mapping happening

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John A. Sullivan III wrote:
> Hello, all.  We are experiencing a weird problem and have not been able
> to fix it.  We have just renamed the top level of our tree from
> dc=old,dc=biz to dc=new,dc=com.  All went very well (well, very well
> until we also changed the certificates and keys to be from the new
> Certificate Authority - but we have that sorted now, too) except one
> remaining error.
>
> Our Zimbra (6.0.5) mail server authenticates users against our CentOS
> 8.1 Directory Server.  It is working but, every time a user tries to
> authenticate, we generate an error:
>
> slapi_search_internal ("CN=zimbra.new.com, OU=MailServers, DC=new, DC=com", subtree, objectclass=*) err 32
>
> and in the access log we see:
> conn=174 SSL 128-bit RC4; client CN=zimbra.new.com,OU=MailServers,DC=new,DC=com; issuer CN=newca.new.com,OU=PKI,DC=new,DC=com
> conn=173 SSL failed to map client certificate to LDAP DN (No such object)
>
> We then see the directory search user (we do not allow anonymous access)
> correctly bind and authenticate.
>
> It is as if the directory server is accidentally trying to do cert
> mapping and authenticate the mail server whenever it tries to establish
> an ldaps connection.  As far as I understand, one needs to tell
> Directory Server to do this by adding a usercertificate attribute to the
> user we want to authenticate via X.509 cert.  I've searched the entire
> database dump and nothing has that attribute.  certmap.conf has been
> unchanged and is all commented out except for:
> certmap default         default
>
> What is causing this and how do I fix it?
>   
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_SSL-Starting_the_Server_with_SSL_Enabled.html#Starting_the_Server_with_SSL_Enabled-Enabling_SSL_Only_in_the_DS
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_SSL-Using_Certificate_Based_Authentication.html#clientauth
and
http://directory.fedoraproject.org/wiki/Howto:CertMapping
> Our migration procedure was to stop dirsrv, dump the userRoot and
> NetscapeRoot databases, make all the substitutions via sed in dse.ldif
> (and .bak and .startOK), make all the substitutions via sed in the
> database dumps, and then import the revised ldif files.  Thanks - John
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux