[Date Prev][Date Next] [Chronological] [Thread] [Top]

Syncrepl using can't start ssl session because of refused certificate



Hello,

I'm trying to upgrade an openLdap server from FC9 (openldap-servers-2.4.10-2.fc9.i386) to Redhat Enterprise 6 (openldap-servers-2.4.23-15.el6.x86_64). In this new setup, my local database works but the Syncrepl replication process fails to establish the "ldaps://" session to my syncrepl-providers because the TLS layer fails. Indeed, the TLS layer complains that my _server's certificate_ isn't a valid _client certificate_ (with error 8101 - SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side authentication!

In the past syncrepl didn't try to use the server certificate as a client certificate, and I haven't seen any reference to this in the documentation. I first thought it could have been related to ITS#6791 but I don't think so anymore because it only affects Syncrepl.

Don' hesitate to redirect me to the openldap-users list if I've missed something simple.

Thanks in advance,
Thibault

Here is an excerpt of slapd in debug-mode:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid - error -8101:Unknown code ___f 91. TLS: error: unable to set up client certificate authentication for certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: unable to set up client certificate authentication using PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: could not initialize moznss security context - error -8101:Unknown code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------

Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
        provider=ldaps://otherldap.mydom.fr
        type=refreshOnly
        interval=00:00:03:00
        retry="60 10 300 +"
        searchbase="dc=subranch,dc=mydom,dc=fr"
        filter="(objectClass=*)"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
        credentials="MyVerySecretPassword"
---------------------------------------------------------

And eventually my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------