[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL failover problem

To: openldap-software@OpenLDAP.org
Subject: Re: TLS/SSL failover problem
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Wed, 10 Mar 2004 07:21:44 +0100
In-reply-to: <1078871786.3669.131.camel@rocketeer> (Doug Wilson's message of "Tue, 09 Mar 2004 17:36:26 -0500")
References: <1078871786.3669.131.camel@rocketeer>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

H,

Doug Wilson <dwilson@virtc.com> writes:

[...]
> I've got an OpenLDAP master server and an OpenLDAP slave server.  I use
> TLS to encrypt replication traffic between them and it works just fine. 
> I can also connect to each of them with TLS or SSL capable clients.  SSL
> connections with LDAP Browser\Editor v2.8.2
> (http://www.iit.edu/~gawojar/ldap/), and TLS connections with GQ
> (http://biot.com/gq/), so I know SSL & TLS are working properly.
>
> When I tried to setup a failover configuration, however, I ran into all
> sorts of problems.
>
> Here's my understanding of how to configure failover ...
[...]
> I have ssl set to off in /etc/ldap.conf.  That's fine as long as I'm
> authenticating via localhost, but if the local ldap server dies, and
> nss_ldap and pam_ldap fall back on using ldap2.virtc.com, all of the
> traffic will be un-encrypted across the network.  That's bad, so I
> wanted to turn on TLS or ssl.
>
> I tried this in /etc/ldap.conf:
> host ldap1.virtc.com ldap2.virtc.com
> ssl on
>
> With that setting, initial failover works.  If I shut down the ldap
> server on ldap1.virtc.com, nss_ldap and pam_ldap successfully connect to
> ldap2.virtc.com over ssl for auth information.
>
> However, when I restart the ldap server on ldap1.virtc.com, nss_ldap and
> pam_ldap don't properly revert to using ldap1.virtc.com.  In fact, a
> 'getent passwd' on ldap1.virtc.com core dumps after providing the
> contents of /etc/passwd.  Here's what the output looks like:
[...]
> Very curious since I'm using basic authentication, not sasl.
>
> I can fix this by setting
> ssl off
> in /etc/ldap.conf, restarting ldap on ldap1.virtc.com, and then setting
> ssl on
> in /etc/ldap.conf.
>
> Anybody know what's going on here?

What are your slapd setup parameters?
./slapd -h "ldap:/// ldaps:///"
Are the paths to certificates set properly in /etc/ldap.conf and
/etc/openldap/ldapconf? 

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

Follow-Ups:
- Re: TLS/SSL failover problem
  - From: Doug Wilson <dwilson@virtc.com>

References:
- TLS/SSL failover problem
  - From: Doug Wilson <dwilson@virtc.com>

Prev by Date: Re: sn/surname mess. Need your opinion
Next by Date: ldapsearch options question
Index(es):
- Chronological
- Thread