Re: [squid-users] basic_ldap_auth problem under Fedora

From: Amos Jeffries <>
Date: Thu, 05 Jun 2014 15:57:34 +1200

On 4/06/2014 9:14 p.m., Jose-Marcio Martins wrote:
> On 06/03/2014 08:00 PM, Amos Jeffries wrote:
>> On 3/06/2014 8:23 a.m., Jose-Marcio Martins wrote:
>> What do you see running it manually with that command line?
> Good hint. The same thing, see below. And problem solved !!!
>> If its crashing you could also try running it under a debugger to find
>> out why.
> In fact it doesn't crash. It terminates as this is the normal behavior
> of the helper when TLS connection fails.
> In fact the problem comes from outside the helper. TLS connection fails
> because openldap libraries do check the validity of server certificate.
> Although it's a valid certificate, it fails... 8-(
> The solution is to put this lines in /etc/openldap/ldap.conf :
> Maybe it could be a good idea to force this from inside the helper as
> ldap.conf is a server wide configuration and, for some people, not so
> easy to debug.

If anyone wants to produce a patch the helper definitely needs to print
an error message about the TLS failure.

Disabling TLS like that is generaly not the right thing to do though.

Some more debugging is needed to find out why the cert is valid and
still failing verification.

Perhapse the LDAP server or Squid machine TLS/SSL library needs updating?
 or the ca-certificates set used by one of them?
 or just a tweak of the acceptible ciphersuites?

Worst case regenerating the "valid" cert using up-to-date ciphers and
key lengths may be necessary if it is a very old cert.

Received on Thu Jun 05 2014 - 03:57:46 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 05 2014 - 12:00:05 MDT