[horde] Horde LDAP TLS not working, system LDAP TLS does

Ralf Lang lang at b1-systems.de
Tue Feb 19 10:00:41 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19.02.2013 10:53, Simon Wilson wrote:
> ----- Message from Simon Wilson <simon at simonandkate.net> --------- 
> Date: Tue, 19 Feb 2013 06:49:07 +1000 From: Simon Wilson
> <simon at simonandkate.net> Subject: Re: [horde] Horde LDAP TLS not
> working, system LDAP TLS does To: Ralf Lang <lang at b1-systems.de> 
> Cc: "horde at lists.horde.org" <horde at lists.horde.org>
> 
> 
>> On 19/02/2013, at 2:07 AM, Ralf Lang <lang at b1-systems.de> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 18.02.2013 16:30, Simon Wilson wrote:
>>>> I am going crazy with this one...
>>>> 
>>>> My H5 setup has been working fine for a week. Earlier in the
>>>> week I updated the certificates that the systems use, but
>>>> missed one on the new Horde server, and today everything
>>>> stopped working with certificate expired errors.
>>>> 
>>>> I worked out where I had missed it, put it there, but now
>>>> Horde can't auth using TLS (it has been fine):
>>>> 
>>>> 2013-02-18T14:56:45+00:00 EMERG: HORDE TLS not started:
>>>> Connect error [pid 7145 on line 514 of
>>>> "/usr/share/pear/Horde/Ldap.php"]
>>>> 
>>>> It drops a fatal error whenever TLS is enabled. The certs
>>>> appear fine, and Imp using the same certs can connect to the
>>>> separate IMAP server.
>>>> 
>>>> My old Horde 4 server can connect fine over TLS, so it's not
>>>> the LDAP server.
>>>> 
>>>> The strange thing though is that I can ldapsearch from the
>>>> new system using TLS:
>>>> 
>>>> ldapsearch -ZZ -x -b dc=simonandkate,dc=lan
>>>> 
>>>> Generates this on the LDAP server:
>>>> 
>>>> Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 ACCEPT
>>>> from IP=192.168.1.230:35382 (IP=0.0.0.0:389) Feb 19 01:15:57
>>>> emp01 slapd[3297]: conn=2378 op=0 EXT
>>>> oid=1.3.6.1.4.1.1466.20037 Feb 19 01:15:57 emp01 slapd[3297]:
>>>> conn=2378 op=0 STARTTLS Feb 19 01:15:57 emp01 slapd[3297]:
>>>> conn=2378 op=0 RESULT oid= err=0 text= Feb 19 01:15:57 emp01
>>>> slapd[3297]: conn=2378 fd=48 TLS established tls_ssf=256
>>>> ssf=256 Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 op=1
>>>> BIND dn="" method=128 Feb 19 01:15:57 emp01 slapd[3297]: 
>>>> conn=2378 op=1 RESULT tag=97 err=0 text= Feb 19 01:15:57
>>>> emp01 slapd[3297]: conn=2378 op=2 SRCH
>>>> base="dc=simonandkate,dc=lan" scope=2 deref=0
>>>> filter="(objectClass=*)" Feb 19 01:15:57 emp01 slapd[3297]:
>>>> conn=2378 op=2 SEARCH RESULT tag=101 err=0 nentries=44 text=
>>>> Feb 19 01:15:57 emp01 slapd[3297]: conn=2378 op=3 UNBIND Feb 
>>>> 19 01:15:57 emp01 slapd[3297]: conn=2378 fd=48 closed
>>>> 
>>>> Yet Horde can't START_TLS.
>>>> 
>>>> The CA certificate file on the system is world readable - how
>>>> does Horde find it?
>>> 
>>> Is it installed to the default certificate store? For example,
>>> under SUSE you put it in  /etc/ssl/certs and run
>>> 
>>> c_rehash /etc/ssl/certs/
>>> 
>>> 
>>> - -- Ralf Lang
>> 
>> New cacert.pem is in two places, /etc/openldap/cacerts where
>> openldap config files want it to be (ldap.conf, pam_ldap.conf,
>> nslcd.conf), and in /etc/pki/tls/certs which is the system
>> default for CentOS.
>> 
>> Same places it was before...and I've run c_rehash.
>> 
>> I'm assuming that for some reason the php ldap_start_tls function
>> is failing which is what the Horde Ldap.php error is telling me.
>> 
>> Just not sure why when a system ldapsearch call with no
>> specified cacert location succeeds.
>> 
>> I'm not a php programmer, but may have to see if I can try that 
>> command from php cli somehow. Or can you tell me what I can use
>> in Horde's configuration PHP command line screen to test ldap
>> tls?
>> 
>> Simon -- Horde mailing list Frequently Asked Questions:
>> http://horde.org/faq/ To unsubscribe, mail:
>> horde-unsubscribe at lists.horde.org
> 
> Got home this evening, prepared to jump in and start
> troubleshooting... and it's working. :-O
> 
> No idea why - something cached maybe?

Did you restart the Apache or the server? I remember effects not
happening at once too when I last had certificate troubles.


- -- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstra￟e 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEjTUkACgkQCs1dsHJ/X7BwIgCgoaw+4gm958p3IGfrUq4PPlXM
D4sAn2RMg9wGXOazu83lVvTieqWn+/VW
=XauN
-----END PGP SIGNATURE-----


More information about the horde mailing list