[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Slurpd over SSL
Port 636 is the default LDAPS (LDAP over SSL) port. As already noted, you
cannot use the LDAP StartTLS request over SSL. If you want slurpd to use SSL,
you must not specify TLS in the replica configuration.
If you're using OpenLDAP 2.1.23 you can use a URI in the replica
configuration, and specify ldaps there. e.g., instead of
replica host=foo.bar.domain:636
use
replica uri=ldaps://foo.bar.domain
If you're using an older release, you'll need to set TLS=hard in an ldaprc
file. The ldaprc file can either be in the slurpd user's home directory, or
in the slurpd process's working directory.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Estevam Viragh
Hello List,
I'll appreciate your help on the following issue.
I'm trying to set up slurpd replication over ssl.
There is one master and only one slave on my lab env.
Both are serving only ssl enabled clients pretty smoothly that
the ldapsearch from one connects, searchs, and adds to each other,
using CA Issued Certificate, just like the OpenLDAP TLS/SSL How-to
and like many Howard Chu answer posts :-)
So, it does not seems to be related to using self signed,
but I'm getting this slurpd debbug messages:
"Error: ldap_start_tls failed: Can't contact LDAP server (81)"
Also, the replication runs finely on ldap:// manner (simple
and insecure)
I read a paragraph on item 7.0 of the mentined how to wich says:
"Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error"
So, is that a way to start slurpd directly with ssl ?
Is that the point or I'd missed some thig ?
# My ldap.conf:
URI ldaps://savatage.heavymetal.com
BASE o=heavymetal.com
TLS_CACERT /var/myca/demoCA/cacert.pem
TLS_REQCERT never
# My slapd.conf (the relevant part):
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/etc/openldap/schema/core.schema
include /usr/etc/openldap/schema/cosine.schema
include /usr/etc/openldap/schema/nis.schema
include /usr/etc/openldap/schema/inetorgperson.schema
include /usr/etc/openldap/schema/misc.schema
include /usr/etc/openldap/schema/openldap.schema
access to *
by self write
by users read
by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
TLSVerifyClient never
database ldbm
replica host=angra.heavymetal.com:636 tls=critical
binddn="cn=metallord,o=heavymetal.com"
bindmethod=simple credentials=mypass
replogfile /usr/var/openldap-data/replog/changes.log
suffix "o=heavymetal.com"
rootdn "cn=metallord,o=heavymetal.com"
rootpw mypass
directory /usr/var/openldap-data
index objectClass eq
# ldapsearch results:
ldapsearch -x -D "cn=metallord,o=heavymetal.com" -W \
-b o=heavymetal.com -s sub -H ldaps://angra.heavymetal.com \
-v '(objectclass=*)'
ldap_initialize( ldaps://angra.heavymetal.com )
Enter LDAP Password:
filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <o=heavymetal.com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
# heavymetal.com
dn: o=heavymetal.com
objectClass: top
objectClass: organization
o: heavymetal.com
description: Heavy Metal Land
# computers, heavymetal.com
dn: ou=computers,o=heavymetal.com
ou: computers
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2