Guest

Preview Tool

Cisco Bug: CSCur25423 - utils config ldap fqdn does not remove "TLS_REQCERT never"

Last Modified

Jul 24, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.10000.7)

Description (partial)

Symptom:
Customer is unable to control a phone via CTI when using Secure LDAP.  The customer runs the following cli command which resolves the issue:

utils ldap config ipaddr

Customer then changes the config back to FQDN (the default).

utils ldap config fqdn

However the issue does not come back.

Looking at what happens in the background we see the following:

///There are 2 ldap.conf files.  Both do not have "TLS_REQCERT never" enabled.
[root@UC105PUB ciscotac]# cat /usr/local/etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/

[root@UC105PUB ciscotac]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/

///Host is set to use ipaddr.
admin:utils ldap config ipaddr 
Now configured to use IP address

///Both ldap.conf files show "TLS_REQCERT never" enabled.
[root@UC105PUB ciscotac]# cat /usr/local/etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/
TLS_REQCERT never

[root@UC105PUB ciscotac]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/
TLS_REQCERT never

///Host is set back to use FQDN.
admin:utils ldap config fqdn 
Now configured to use FQDN

///The first ldap file still shows "TLS_REQCERT never" enabled.  The second does not.
[root@UC105PUB ciscotac]# cat /usr/local/etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/
TLS_REQCERT never

[root@UC105PUB ciscotac]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /usr/local/platform/.security/tomcat/trust-certs/

It appears that the ldap.conf files are not being updated properly.  If we switch back to FQDN in this scenario, the user should not be able to control the phone.  But because one of the ldap.conf files still has "TLS_REQCERT never" enabled, it allows the user to control the phone.

Conditions:
Phone control via CTI with secure LDAP.

Enable 'utils ldap config ipaddr' and then run 'utils ldap config fqdn'.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.