#430 server to server ssl client auth broken with latest openldap
Closed: wontfix None Opened 8 years ago by rmeggins.

openldap 2.4.31 changed how it does crypto initialization. It now creates a brand new slot/token for each SSL context. 389 relies on the old behavior of a single, global, shared crypto context. This causes server to server SSL using client cert auth to fail because the cert/key db in the new crypto context is locked, even if the server's main crypto db is unlocked.


0001-Ticket-430-server-to-server-ssl-client-auth-broken-w.patch
0001-Ticket-430-server-to-server-ssl-client-auth-broken-w.patch

Once the patch is applied, the mmr/acceptance test has completed and passed 100%.
Note: I've tested the server built from 1.2.11 internal branch.

Also, the patch is backward compatible. I.e., it works just fine with older openldap (such as openldap-2.4.30).

78ed55b..9f959f0 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit changeset:9f959f0/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Mon Aug 20 12:20:21 2012 -0600
fb54b67..53c974f master -> master
commit changeset:53c974f/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Mon Aug 20 12:20:21 2012 -0600

Added initial screened field value.

Metadata Update from @nhosoi:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.11.12

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/430

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

2 months ago

Login to comment on this ticket.

Metadata