1 Reply Latest reply: Dec 3, 2013 6:34 AM by Sylvain Duloutre-Oracle RSS

    SSL client certificate mapping lacks referral support

    937681

      Our error log is full with entries of the following kind:

      [14/Nov/2013:00:04:15 +0100] - ERROR<4190> - Authentication - conn=-1 op=-1 msgId=-1 - Internal error  Internal search base="dc=adm" scope=2 filter=mwcertSubjectDN=CN=app::wision,O=Fa. Hewlett Packard Austria,C=AT, Result : 10 (Referral received)

       

      here the content of alias/certmap.conf:

      certmap default default

      default:DNComps

      default:verifycert   on

      default:CmapLdapAttr mwcertSubjectDN

       

      We have two suffixes, dc=adm and dc=magwien,dc=gv,dc=at.

      The dc=adm suffix only referrs to dc=magwien,dc=gv,dc=at:

      # dsconf get-suffix-prop dc=adm
      referral-mode: enabled
      referral-url:  ldaps://ldapread.magwien.gv.at:636/dc=adm,dc=databases,dc=magwien,dc=gv,dc=at


      If Directory Server receives a SSL client certificate it searches all suffixes for a matching entry. The authentication works perfect, but the  dc=adm suffix causes error log entries above.

      How can we get rid of this annoying messages ?

      One solution might be to restrict the search to a suffix, but I did not find a way to configure this.

      Does any appropriate plugin exist ?

      Can this be solved with a plugin at all or does it require changes to core server ?


      Best regards --Michael Gsandtner