[horde] Horde LDAP TLS not working, system LDAP TLS does

Simon Wilson simon at simonandkate.net
Tue Feb 19 09:53:00 UTC 2013


----- Message from Simon Wilson <simon at simonandkate.net> ---------
    Date: Tue, 19 Feb 2013 06:49:07 +1000
    From: Simon Wilson <simon at simonandkate.net>
Subject: Re: [horde] Horde LDAP TLS not working, system LDAP TLS does
      To: Ralf Lang <lang at b1-systems.de>
      Cc: "horde at lists.horde.org" <horde at lists.horde.org>


> On 19/02/2013, at 2:07 AM, Ralf Lang <lang at b1-systems.de> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 18.02.2013 16:30, Simon Wilson wrote:
>>> I am going crazy with this one...
>>>
>>> My H5 setup has been working fine for a week. Earlier in the week
>>> I updated the certificates that the systems use, but missed one on
>>> the new Horde server, and today everything stopped working with
>>> certificate expired errors.
>>>
>>> I worked out where I had missed it, put it there, but now Horde
>>> can't auth using TLS (it has been fine):
>>>
>>> 2013-02-18T14:56:45+00:00 EMERG: HORDE TLS not started: Connect
>>> error [pid 7145 on line 514 of "/usr/share/pear/Horde/Ldap.php"]
>>>
>>> It drops a fatal error whenever TLS is enabled. The certs appear
>>> fine, and Imp using the same certs can connect to the separate IMAP
>>> server.
>>>
>>> My old Horde 4 server can connect fine over TLS, so it's not the
>>> LDAP server.
>>>
>>> The strange thing though is that I can ldapsearch from the new
>>> system using TLS:
>>>
>>> ldapsearch -ZZ -x -b dc=simonandkate,dc=lan
>>>
>>> Generates this on the LDAP server:
>>>
>>> Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 ACCEPT from
>>> IP=192.168.1.230:35382 (IP=0.0.0.0:389) Feb 19 01:15:57 emp01
>>> slapd[3297]: conn=2378 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 19
>>> 01:15:57 emp01 slapd[3297]: conn=2378 op=0 STARTTLS Feb 19 01:15:57
>>> emp01 slapd[3297]: conn=2378 op=0 RESULT oid= err=0 text= Feb 19
>>> 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 TLS established
>>> tls_ssf=256 ssf=256 Feb 19 01:15:57 emp01 slapd[3297]: conn=2378
>>> op=1 BIND dn="" method=128 Feb 19 01:15:57 emp01 slapd[3297]:
>>> conn=2378 op=1 RESULT tag=97 err=0 text= Feb 19 01:15:57 emp01
>>> slapd[3297]: conn=2378 op=2 SRCH base="dc=simonandkate,dc=lan"
>>> scope=2 deref=0 filter="(objectClass=*)" Feb 19 01:15:57 emp01
>>> slapd[3297]: conn=2378 op=2 SEARCH RESULT tag=101 err=0 nentries=44
>>> text= Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 op=3 UNBIND Feb
>>> 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 closed
>>>
>>> Yet Horde can't START_TLS.
>>>
>>> The CA certificate file on the system is world readable - how does
>>> Horde find it?
>>
>> Is it installed to the default certificate store? For example, under
>> SUSE you put it in  /etc/ssl/certs and run
>>
>> c_rehash /etc/ssl/certs/
>>
>>
>> - --
>> Ralf Lang
>
> New cacert.pem is in two places, /etc/openldap/cacerts where  
> openldap config files want it to be (ldap.conf, pam_ldap.conf,  
> nslcd.conf), and in /etc/pki/tls/certs which is the system default  
> for CentOS.
>
> Same places it was before...and I've run c_rehash.
>
> I'm assuming that for some reason the php ldap_start_tls function is  
> failing which is what the Horde Ldap.php error is telling me.
>
> Just not sure why when a system ldapsearch call with no specified  
> cacert location succeeds.
>
> I'm not a php programmer, but may have to see if I can try that  
> command from php cli somehow. Or can you tell me what I can use in  
> Horde's configuration PHP command line screen to test ldap tls?
>
> Simon
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

Got home this evening, prepared to jump in and start  
troubleshooting... and it's working. :-O

No idea why - something cached maybe?

Sorry for the noise.

Simon.

--
Simon Wilson
M: 0400 12 11 16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: PGP Digital Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130219/6fb694fd/attachment.bin>


More information about the horde mailing list