[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Slurpd and TLS/SSL



Hi Kurt / all,

I have kind of the same situation here with slurpd (openldap 2.3.7), I
knew it was something wrong with my implementation but I could not
figure it out, I m trying to configure replication between hosts lda01
and lda03, when using 389 everything was fine, as you suggested I can
use

lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -h lda03.mydomain.com -Z
or 
lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda03.mydomain.com  


lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -h lda01.mydomain.com -Z
or 
lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda01.mydomain.com  

but when start the slurpd, the log complains

[lda01 ~]# /usr/local/openldap/libexec/slurpd -f
/usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d
1
@(#) $OpenLDAP: slurpd 2.3.7 (Sep  7 2005 13:42:42) $
        root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd

ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Warning: saved state for 10.1.4.133:389, not a known replica
Warning: unknown replica 10.1.4.133:389 found in replication log
Replica lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
rofile,o=mydomain.com (not mine)
Replica lda03.mydomain.com:636, skip repl record for
ou=test123,ou=profile,o=mydomain.com (not mine)
ldap_create
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP lda03.mydomain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.1.4.133:636
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
Warning: unknown replica lda03.mydomain.com:0 found in replication log
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=ca/ST=ontario/L=tor
onto/O=rogers
telecom/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canad
a.com, issuer:
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
ailAddress=ran.li@sprint-canada.com
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
contact LDAP server
ldap_unbind

as I read 
http://www.openldap.org/lists/openldap-software/200509/msg00050.html 
http://www.openldap.org/lists/openldap-software/200509/msg00063.html 
if no misunderstanding I m using "a self-signed CA cert and then use
that to create and sign separate server certs" on each server. 
ldap.conf uses
tls_cacert /etc/openldap/cacerts/cacert.pem
which is the same as 
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
in slapd.conf.

I appreciate any comments or any reference links. Thanks. 

Regards,

Ran



-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Kurt D.
Zeilenga
Sent: Thursday, October 13, 2005 3:26 PM
To: openldap-software@OpenLDAP.org
Cc: openldap-software@OpenLDAP.org
Subject: Re: Slurpd and TLS/SSL


At 11:39 AM 10/13/2005, Jim Seymour wrote:
>Is now the point at which I mention I'm more confused than ever?

I suggest you make sure ldapsearch(1) can talk to the
replica using the desired connection/TLS information
before attempting to get slurpd(8) to talk to it.
As Howard points out, all OpenLDAP clients (including slurpd(8), use
ldap.conf(5) for TLS configuration. So, once you have ldapsearch(1)
working, getting
slurpd(8) work should not be a problem.

Use of TLS in ldapsearch(1) is discussed in the
Admin Guide as well as other publications on the
web site (e.g., FAQ, http:/www/openldap.org/pub/).

Note as well starttls=yes is equivalent to ldapsearch's
-Z, not -ZZ.  For the latter it's starttls=critical.

Kurt