openldap 2.4.31 changed how it does crypto initialization. It now creates a brand new slot/token for each SSL context. 389 relies on the old behavior of a single, global, shared crypto context. This causes server to server SSL using client cert auth to fail because the cert/key db in the new crypto context is locked, even if the server's main crypto db is unlocked.
0001-Ticket-430-server-to-server-ssl-client-auth-broken-w.patch 0001-Ticket-430-server-to-server-ssl-client-auth-broken-w.patch
Once the patch is applied, the mmr/acceptance test has completed and passed 100%. Note: I've tested the server built from 1.2.11 internal branch.
Also, the patch is backward compatible. I.e., it works just fine with older openldap (such as openldap-2.4.30).
78ed55b..9f959f0 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit changeset:9f959f0/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Mon Aug 20 12:20:21 2012 -0600 fb54b67..53c974f master -> master commit changeset:53c974f/389-ds-base Author: Rich Megginson rmeggins@redhat.com Date: Mon Aug 20 12:20:21 2012 -0600
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=852088
Added initial screened field value.
Metadata Update from @nhosoi: - Issue assigned to rmeggins - Issue set to the milestone: 1.2.11.12
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/430
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.