[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups

To: openldap-its@OpenLDAP.org
Subject: (ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups
From: thibault.lemeur@supelec.fr
Date: Mon, 11 Jul 2011 16:44:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Thibault Le Meur
Version: 2.4.23-15
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (160.228.28.55)


Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd
process used an X509 "server" while my syncrepl processes were using the
/etc/openldap/ldap.conf client configuration file in order to connect to my
LDAPs Syncrepl providers.

In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to
MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it
complains about the TLS context not beeing intitialized correctly (the server's
certificate isn't accepted as a client certificate).

Here is the lightly obfuscated log:

----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is
not valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for certificate
named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM Token
#0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error -8101:Unknown
code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------

Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
        provider=ldaps://otherldap.mydom.fr
        type=refreshOnly
        interval=00:00:03:00
        retry="60 10 300 +"
        searchbase="dc=subranch,dc=mydom,dc=fr"
        filter="(objectClass=*)"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
        credentials="MyVerySecretPassword"
---------------------------------------------------------

My setup related to TLS:
---------------------------------------------------------
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile   /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------

And my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------

Here is the obfuscated certificate:
---------------------------------------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 221 (0xdd)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myCA/emailAddress=myemail@mydom.fr
        Validity
            Not Before: Oct  2 16:42:15 2007 GMT
            Not After : Dec 14 16:42:15 2012 GMT
        Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                ...
            X509v3 Authority Key Identifier:
                keyid:...
                DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
                serial:00

            X509v3 Issuer Alternative Name:
<EMPTY>

            Netscape SSL Server Name:
                myldap.mydom.fr
            X509v3 Subject Alternative Name:
                DNS:ldap, DNS:ldapalias1, DNS:ldapalias2,
DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap,
DNS:myldap.mydom.fr
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, Code Signing
    Signature Algorithm: sha1WithRSAEncryption
        ... 
---------------------------------------------------------

Prev by Date: (ITS#6993) Backend Connection problem
Next by Date: (ITS#6995) Request for Contribution of Identity Access Management Software to OpenLDAP Project
Index(es):
- Chronological
- Thread