[Date Prev][Date Next] [Chronological] [Thread] [Top]
OpenLDAP-2.1.29 Replication over SSL

To: OpenLDAP-software@OpenLDAP.org
Subject: OpenLDAP-2.1.29 Replication over SSL
From: jmorin@dominiondiagnostics.com
Date: Thu, 21 Oct 2004 17:42:41 -0400
I know this question has been posed previously, but I haven't been able to 
configure replication via SSL successfully.

Here's my environment:

One Master server
One Slave server
Both running OpenLDAP 2.1.29

Master configuration:

I followed the "OpenLDAP SSL/TLS How-To" 
(http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#3.0)
instructions to create my own CA Issued Certificate and server cert and 
server key.
I also created a client cert and key.

For Master:
cp demoCA/cacert.pem /usr/var/openldap-data/MASTER-cacert.pem
mv newcert.pem /usr/var/openldap-data/MASTER-servercrt.pem
mv newreq.pem /usr/var/openldap-data/MASTER-serverkey.pem

For client: ( after creating client certificate)
mv newcert.pem ldap.slave.client.cert.pem
mv newreq.pem ldap.slave.client.key.pem

then added the following to my slapd.conf on the master

TLSCACertificateFile /usr/var/openldap-data/MASTER-cacert.pem
TLSCertificateFile /usr/var/openldap-data/MASTER-servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/MASTER-serverkey.pem

then added the following to the ldap.conf file on the client (slave)
TLS_CACERT /usr/var/openldap-data/MASTER.cacert.pem
TLS_REQCERT demand
added the following to the ldaprc file
TLS_CERT /usr/var/openldap-data/ldap.slave.client.cert.pem
TLS_KEY /usr/var/openldap-data/ldap.slave.client.key.pem

At this point the Master is set up to receive LDAP traffic over port 636, 
the client ( in this case the slave machine) can connect just fine using 
ldapsearch, ldapmodify, etc.

I then set up the SLAVE server to accept ldap traffic via SSL is the same 
manner.

Create the ca on the SLAVE
Create the SLAVE-cacert.pem, SLAVE-servercrt.pem, and SLAVE-serverkey.pem. 
 
Create a client cert and key.  ldap.master.client.cert.pem and 
ldap.master.client.key.pem

Add the following to the SLAVE servers slapd.conf file
TLSCACertificateFile /usr/var/openldap-data/SLAVE-cacert.pem
TLSCertificateFile /usr/var/openldap-data/SLAVE-servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/SLAVE-serverkey.pem

then add the following to the ldap.conf file on the master
TLS_CACERT /usr/var/openldap-data/SLAVE-cacert.pem
TLS_REQCERT demand
add the following to the ldaprc file
TLS_CERT /usr/var/openldap-data/ldap.master.client.cert.pem
TLS_KEY /usr/var/openldap-data/ldap.master.client.key.pem

Again, the master can connect to the slave (via SSL) using ldapsearch, 
etc.

I set up the MASTER slapd.conf for replication

replogfile      /var/lib/ldap/master-slapd.replog
replica uri=ldaps://slave.domain.com
        binddn="uid=Replicator,ou=someOU,dc=domain,dc=com"
        bindmethod=simple
        credentials=password

configure the SLAVE slapd.conf for replication/referrals

updatedn "uid=Replicator,ou=someOU,dc=domiain,dc=com"
updateref ldaps://master.domain.com

At this point I restarted both LDAP servers and was able to connect to 
each one using ldapsearch from some client via SSL.
Referrals work fine (although NOT over port 636), but replication does 
NOT.
If I switch the 'replica uri=ldap://servername' is works fine, on port 
389.

I read in the list by Howard Chu:
"Since you have two different self-signed certs, one for master and one 
for
slave,
you should cat them both into a single file. Then, in slapd.conf of both 
the
master and slave you should specify TLSCACertificateFile with the file you
just created."

So I concatenated both the slave and master cacert.pem files into ONE file 
(/usr/var/openldap-data/cacert.pem) and changed BOTH the master and slave 
slapd.conf files to use

TLSCACertificateFile /usr/var/openldap-data/cacert.pem

it's the same file on both machines, it's the two cacert.pem files 
concatentated together into one file. everything else remains the same.

Restart ldap on both servers.

I can connect from slave to master via ssl using ldapsearch.
I can connect from mast to slave via ssl using ldapsearch 
(ex. ldapsearch -LLL -H ldaps://master.domain.com .......)

referrals still work, but replication does not.

I'm receiving these messages on the master server in the /var/log/messages 
file

slurpd: Initializing session to ldaps://slave.domain.com
slurpd: bind to slave.domain.com:636 as 
uid=Replicator,ou=someOU,dc=domain,dc=com (simple)
slurpd: TLS: can't connect.
slurpd: Error: ldap_simple_bind_s for slave.domain.com:636 failed: Can't 
contact LDAP server

On the slave I'm receiving (in the ldap.log file)
slapd[7478]: conn=45 fd=8 ACCEPT from IP=192.168.100.1:35608 
(IP=0.0.0.0:636)
slapd[7478]: connection_get(8)
slapd[7478]: connection_get(8)
slapd[7478]: conn=45 fd=8 closed

using ethereal on the slave server I see the master trying to initiate an 
SSL connection, but it's getting a TLS handshake failure.

Can someone tell me where I'm going wrong?

I'm guessing it's my SSL configuration, but I'm not sure where to start.
Do I need to issue ALL the certificates and keys from ONE ca?  If so which 
certs/keys go where?

Thank you for your anticipated help!

Joe Morin


CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole use of the individual to whom it is addressed. This message is confidential and may contain information that is privileged, confidential and is exempt from disclosure under applicable law. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and destroy this message and its attachments.
Follow-Ups:
- Re: OpenLDAP-2.1.29 Replication over SSL
  - From: Howard Chu <hyc@symas.com>
- Re: OpenLDAP-2.1.29 Replication over SSL
  - From: Howard Chu <hyc@symas.com>
Prev by Date: problem with replication over ssl
Next by Date: Re: BDB Corruption...
Index(es):
- Chronological
- Thread