[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl failing with ldap_start_tls failed (-11)

On Sat, Jan 28, 2012 at 4:38 AM, Iain Georgeson
<iain.georgeson@kaust.edu.sa> wrote:
> Hello,
>
> * Summary:
>
> I'm trying to set up syncrepl in my LDAP infrastructure. The logs on
> my consumer show that syncrepl is failing to negotiate TLS when
> connecting to the provider. Other LDAP commands such as ldapsearch and
> sssd show no problem connecting using the same TLS configuration.
>
> At this point, I don't have a good idea of how to continue debugging
> this problem. Are there any more configuration items affecting TLS I
> should be looking at? Or any way of getting more details on the TLS
> nagotiation?

There were a few moznss TLS issues fixed between 2.4.23-15 and
2.4.23-20 in RHEL 6.2 (back ported from openldap upstream
2.4.24-2.4.28)

I don't know how far behind SL is compared to RHEL but if you can, try
with openldap 2.4.23-20

>
>
> * The provider ("auth-00.[MYDOMAIN]"):
>
> slapd 2.4.23 from openldap-servers-2.4.23-15.el6.x86_64 on Scientific
> Linux 6. TLS is configured with
>
> [cn=config]
> olcTLSCACertificateFile: /etc/ssl/[MYCA].pem
> olcTLSCertificateFile: /etc/ssl/certs/auth-00.crt.pem        # Has
> CN=auth-00.[MYDOMAIN]
> olcTLSCertificateKeyFile: /etc/ssl/private/auth-00.key.pem
> olcTLSVerifyClient: never
>
> If I try:
> $ ldapsearch -ZZ -x -H ldap://auth-00.[MYDOMAIN]/ uid=iain
> it connects and cheerfully returns objects
>
>
> * The provider ("auth-01.MYDOMAIN"):
>
> Same slapd version, same package, same OS. syncrepl configuration:
>
> olcSyncrepl: rid=001 provider=ldap://auth-00.[MYDOMAIN]:389
> bindmethod=simple timeout=0
>  network-timeout=0  binddn="cn=syncrepl,dc=[MYDOMAIN]"
> credentials="[MYPASSWORD]"
>  keepalive=0:0:0 filter="(objectClass=*)" searchbase="dc=[MYDOMAIN]" scope=sub
>  schemachecking=off type=refreshAndPersist retry="10 3 120 5 600 +"
> starttls=critical
>  tls_cacert=/etc/ssl/MYCA.pem
>
>
> * The error
>
> Consumer:
> Jan 28 11:53:12 auth-01 slapd[5595]: slapd starting
> Jan 28 11:53:12 auth-01 slapd[5595]: slap_client_connect:
> URI=ldap://auth-00.[MYDOMAIN]:389 Error, ldap_start_tls failed (-11)
> Jan 28 11:53:13 auth-01 slapd[5595]: do_syncrepl: rid=001 rc -11
> retrying (2 retries left)
>
> Provider receiving syncrepl connection:
> Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 ACCEPT from
> IP=[AUTH-01'S IP]:42669 (IP=0.0.0.0:389)
> Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 STARTTLS
> Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 RESULT oid= err=0 text=
> Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 closed (TLS
> negotiation failure)
>
> Provider receiving ldapsearch connection:
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 ACCEPT from
> IP=[AUTH-01'S IP]:42765 (IP=0.0.0.0:389)
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 STARTTLS
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 RESULT oid= err=0 text=
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 TLS established
> tls_ssf=256 ssf=256
> Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=1 BIND [...]
>
>
> Thanks,
>
>    Iain.
>
> --
> Systems Engineer
> KAUST Visualisation Laboratory
>