Subject: The mailing list for listmasters using Sympa
List archive
Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9
- From: Riccardo Veraldi <address@concealed>
- To: Steve Shipway <address@concealed>, Sivert Hatteberg <address@concealed>, "address@concealed" <address@concealed>
- Subject: Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9
- Date: Thu, 19 Nov 2015 22:04:43 +0100
I solved the problem using a ca bundle file with all the certification authorities issuing certificates to my users
mainly the TERENA SSL CA 3 + DigiCert root CA. I also have a couple of self signed CAs in the bundle fpr self signed user certificates.
Then I restrict access to the sympa web interface using SSL_CLIENT_S_DN_O variable inside apache configuration.
In this way i am satisfied.
Anyway I Wanted to use shibboleth authentication instead of X509 (I do not use login/password for my users),
but it works only for the my main robot, so I had to disable it. The other robots that are apache virtual hosts, won't work with shibboleth.
I tired hard but I have never been able to make shibboleth work with apache virtual hosts + sympa.
I mean if my main robot is lists.mydomain.org, only it wil work with shibboleth.
my other robots: lists.subdomain.mydomain.org, lists.subdomain2.mydomain.org, lists.subdomain3.mydomain.org ... lists.subdomainN.mydomain.org
won't work with shibboleth auth.
Rick
On 19/11/15 21:56, Steve Shipway (via sympa-users Mailing List) wrote:
I've just checked with 6.2.9 here and this does seem to be the case. LogsHow do one set the "ca_verify" for a member include?the inclusion of members from LDAP query is not working anymore.Under v6.2, certificates are now verified, and the connection can fail
if they do not pass. This tests not just expiry but also the
authorisation chain. If your LDAP server uses a self-signed cert (as
ours does) you will need to remove the verify option:
ca_verify none
Maybe I am missing something obvious but I cant find where to configure it.
Its not a valid keyword in sympa.conf or in the list config file.
show that the LDAP include is failing to make the connection even with
'ca_verify none' and the web interface doesn't seem to allow this to be set.
Not sure why I had thought this was working previously, though (as you said)
it *does* work in the auth.conf
Strangely, if using a .incl datasource where the .incl file uses LDAP and this
option, there is not an error message in the web interface, but one appears
about ca_verify in the log file. It still doesn't work, though.
This would seem to be a bit of a problem that needs to be fixed :). I don't
have time to delve into the code myself though...
Steve
Steve Shipway
T: +64 9 3737 599 ext 86487
E: address@concealed
-
RE: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Steve Shipway, 11/01/2015
-
Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Sivert Hatteberg, 11/19/2015
-
RE: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Steve Shipway, 11/19/2015
-
Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Riccardo Veraldi, 11/19/2015
- RE: [sympa-users] LDAP members inclusion not working on sympa 6.2.9, Steve Shipway, 11/19/2015
-
RE: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Steve Shipway, 11/19/2015
- Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9, Sivert Hatteberg, 11/23/2015
-
Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Riccardo Veraldi, 11/19/2015
-
RE: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Steve Shipway, 11/19/2015
-
Re: [sympa-users] LDAP members inclusion not working on sympa 6.2.9,
Sivert Hatteberg, 11/19/2015
Archive powered by MHonArc 2.6.19+.