[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups
- From: thibault.lemeur@supelec.fr
- Date: Mon, 11 Jul 2011 16:44:48 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Thibault Le Meur
Version: 2.4.23-15
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (160.228.28.55)
Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd
process used an X509 "server" while my syncrepl processes were using the
/etc/openldap/ldap.conf client configuration file in order to connect to my
LDAPs Syncrepl providers.
In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to
MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it
complains about the TLS context not beeing intitialized correctly (the server's
certificate isn't accepted as a client certificate).
Here is the lightly obfuscated log:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is
not valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for certificate
named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM Token
#0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error -8101:Unknown
code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------
Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
provider=ldaps://otherldap.mydom.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=subranch,dc=mydom,dc=fr"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
credentials="MyVerySecretPassword"
---------------------------------------------------------
My setup related to TLS:
---------------------------------------------------------
TLSCipherSuite HIGH
TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
And my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
Here is the obfuscated certificate:
---------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 221 (0xdd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myCA/emailAddress=myemail@mydom.fr
Validity
Not Before: Oct 2 16:42:15 2007 GMT
Not After : Dec 14 16:42:15 2012 GMT
Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
keyid:...
DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
serial:00
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape SSL Server Name:
myldap.mydom.fr
X509v3 Subject Alternative Name:
DNS:ldap, DNS:ldapalias1, DNS:ldapalias2,
DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap,
DNS:myldap.mydom.fr
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, Code Signing
Signature Algorithm: sha1WithRSAEncryption
...
---------------------------------------------------------