[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl mirrormode with SSL/TLS issues

I am attempting to move my sycrepl with mirrormode configuration over to TLS using LDAPS (not starttls) and running into problems.

Multimaster setup (2 servers) behind a VIP
both RHEL 6.3
Openldap 2.4.23-26
still running the old slapd.conf method (apologies)
There are 3 separate certificates ldap.mycompany.net, server01.mycompany.net, and server02.mycompany.net

The primary certificate is used for running slapd, and the individual server certs are intended to allow syncrepl over ssl.

My configurations for syncrepl/mirrormode are down below.

I had success with non-ssl syncrepl/mirrormode.  It worked great actually.
Now I am attempting to get syncrepl/mirrormode working with SSL.

What I observe is whichever slapd instance is the last to startup is the one that becomes a "Master" as if I was in a producer/consumer setup. 

Errors I am seeing are
slapd[11995]: conn=1003 fd=13 ACCEPT from IP=<server1_IP>:56368 (IP=0.0.0.0:636)
slapd[11995]: connection_read(13): TLS accept failure error=-1 id=1003, closing

slapd[11485]: slap_client_connect: URI=ldaps://server01.mycompany.net DN="cn=Admin,dc=mycompany,dc=net" ldap_sasl_bind_s failed (-1)
slapd[11485]: do_syncrepl: rid=001 rc -1 retrying

Server 1 configuration
*************************
# Server1 synchronization settings

serverID 1

syncrepl rid=002
        provider=ldaps://server02.mycompany.net
        binddn="cn=Admin,dc=mycompany,dc=net"
        bindmethod=simple
        credentials=secret
        tls_cert=/etc/openldap/certs/server02.mycompany.net.pem
        tls_cacert=/etc/openldap/certs/Verisignbundle.crt
        tls_key=/etc/openldap/certs/server02.mycompany.net.key
        tls_reqcert=allow
        searchbase="dc=mycompany,dc=net"
        type=refreshAndPersist
        retry="5 5 300 +"
        timelimit=5
        attrs="*,+"
        interval=00:00:05:00
        schemachecking=off

mirrormode on

# Server1 synchronization overlay
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

# Server1 end
**************************************************************************************************

Server 2 configuration
*********************************
# Server2 syncronization settings

serverID 2

syncrepl rid=001
        provider=ldaps://server01.mycompany.net
        binddn="cn=Admin,dc=mycompany,dc=net"
        bindmethod=simple
        credentials=secret
        tls_cert=/etc/openldap/certs/server01.mycompany.net.pem
        tls_cacert=/etc/openldap/certs/Verisignbundle.crt
        tls_key=/etc/openldap/certs/server01.mycompany.net.key
        tls_reqcert=allow
        searchbase="dc=mycompany,dc=net"
        type=refreshAndPersist
        retry="5 5 300 +"
        timelimit=5
        attrs="*,+"
        interval=00:00:05:00
        schemachecking=off

mirrormode on


# Server02 synchronization overlay
overlay syncprov
syncprov-checkpoint 100 10

# Server2 end
**************************************************************************************************

any help is greatly appreciated