[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multimaster SASL/EXTERNAL (TLS client cert) error



GÃmes GÃza wrote:
Gavin Henry Ãrta:
----- "GÃmes GÃza"<geza@kzsdabas.hu> wrote:
dn:cn=config
just like expected (ldapsearch and friends are also working on both
sides and cross).
Just to be sure I've exported the LDAPCONF variable in the slapd
startup
script.
But syncrepl doesn't work!

slapd no longer reads any external LDAP configuration files. The TLS options must be added to the syncrepl config statement. Read the slapd.conf(5) manpage.


On the logs (olcLogLevel=-1):
slap_client_connect: URI=ldaps://first-or-second-ldap-server
ldap_sasl_interactive_bind_s failed (-6)
connection_read(20): unable to get TLS client DN, error=49 id=23

Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.


However a simple ldapwhoami or ldapsearch works. The ldaprc used is:

BASE     dc=kzsdabas,dc=hu
URI        ldaps://first-ldap-server ldaps://second-ldap-server
TLS_CACERT    /etc/ssl/certs/ca.crt
TLS_CERT    /etc/ldap/syncrepl.crt
TLS_KEY        /etc/ldap/syncrepl.key
TLS_REQCERT    demand
SASL_MECH    external
SASL_AUTHCID    cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU


Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:

slap_client_connect: URI=ldaps://first-or-second-ldap-server
ldap_sasl_interactive_bind_s failed (-6)



Thanks for any idea.

Geza



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/