[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slurpd over SSL

To: openldap-software@OpenLDAP.org
Subject: Slurpd over SSL
From: Estevam Viragh <estevamviragh@yahoo.com.br>
Date: Thu, 20 Nov 2003 00:23:47 -0300 (ART)

Hello List,

I'll appreciate your help on the following issue.
I'm trying to set up slurpd replication over ssl.
There is one master and only one slave on my lab env.
Both are serving only ssl enabled clients pretty smoothly that
the ldapsearch from one connects, searchs, and adds to each other,
using CA Issued Certificate, just like the OpenLDAP TLS/SSL How-to
and like many Howard Chu answer posts :-)
So, it does not seems to be related to using self signed,
but I'm getting this slurpd debbug messages:

"Error: ldap_start_tls failed: Can't contact LDAP server (81)"

Also, the replication runs finely on ldap:// manner (simple
and insecure)

I read a paragraph on item 7.0 of the mentined how to wich says:
"Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error"

So, is that a way to start slurpd directly with ssl ?
Is that the point or I'd missed some thig ?

# My ldap.conf:

URI ldaps://savatage.heavymetal.com
BASE o=heavymetal.com

TLS_CACERT /var/myca/demoCA/cacert.pem
TLS_REQCERT never

# My slapd.conf (the relevant part):

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/etc/openldap/schema/core.schema
include         /usr/etc/openldap/schema/cosine.schema
include         /usr/etc/openldap/schema/nis.schema
include         /usr/etc/openldap/schema/inetorgperson.schema
include         /usr/etc/openldap/schema/misc.schema
include         /usr/etc/openldap/schema/openldap.schema

access to *
        by self write
        by users read
        by anonymous auth

TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /usr/var/openldap-data/cacert.pem
TLSCertificateFile      /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile   /usr/var/openldap-data/serverkey.pem
TLSVerifyClient         never

database        ldbm
replica         host=angra.heavymetal.com:636 tls=critical
  binddn="cn=metallord,o=heavymetal.com"
                bindmethod=simple credentials=mypass
replogfile      /usr/var/openldap-data/replog/changes.log
suffix          "o=heavymetal.com"
rootdn          "cn=metallord,o=heavymetal.com"
rootpw          mypass

directory /usr/var/openldap-data

index objectClass eq

# ldapsearch results:

ldapsearch -x -D "cn=metallord,o=heavymetal.com" -W \
-b o=heavymetal.com -s sub -H ldaps://angra.heavymetal.com \
-v '(objectclass=*)'
ldap_initialize( ldaps://angra.heavymetal.com )
Enter LDAP Password:
filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <o=heavymetal.com> with scope sub
# filter: (objectclass=*)
# requesting: ALL

# heavymetal.com
dn: o=heavymetal.com
objectClass: top
objectClass: organization
o: heavymetal.com
description: Heavy Metal Land

# computers, heavymetal.com
dn: ou=computers,o=heavymetal.com
ou: computers
objectClass: top
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Yahoo! Mail - 6MB, anti-spam e antivírus gratuito. Crie sua conta agora!

Follow-Ups:
- Re: Slurpd over SSL
  - From: Jeff Warnica <jeffw@chebucto.ns.ca>
- RE: Slurpd over SSL
  - From: "Howard Chu" <hyc@symas.com>
- Re: Slurpd over SSL
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Changing passwords via Open LDAP OS X 10.3 Server
Next by Date: Re: Slurpd over SSL
Index(es):
- Chronological
- Thread