[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7438) ssl/tls replication not working
Full_Name:
Version: 2.4.20
OS: RHEL 6.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (14.140.116.135)
Hi List
While configuring openldap replication with ssl.
I am getting below log messages
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol.
conn=1069 fd=15 closed (TLS negotiation failure)
slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=777 rc -1 retrying
slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=444 rc -1 retrying
conn=1070 fd=15 ACCEPT from IP=10.242.151.17:44531 (IP=0.0.0.0:636)
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol.
conn=1070 fd=15 closed (TLS negotiation failure)
slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=777 rc -1 retrying
slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=444 rc -1 retrying
conn=1071 fd=15 ACCEPT from IP=10.242.151.17:44533 (IP=0.0.0.0:636)
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol.
conn=1071 fd=15 closed (TLS negotiation failure)
slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=777 rc -1 retrying
slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed
(-1)
slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=444 rc -1 retrying
i am using self singed certificates.
when i do search
# ldapsearch -d 1 -x -b "dc=ibm,dc=com" -H 'ldaps://10.xx.xx.x' -ZZ
ldap_url_parse_ext(ldaps://10.xx.xx.x)
ldap_create
ldap_url_parse_ext(ldaps://10.xx.xx.x:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.xx.xx.x:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.xx.xx.x:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com,
issuer: /C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com
TLS certificate verification: Error, self signed certificate
TLS certificate verification: depth: 0, err: 18, subject:
/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com,
issuer: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
TLS: unable to get peer certificate.
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1942aa0 msgid 1
wait4msg ld 0x1942aa0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1942aa0 msgid 1 all 1
** ld 0x1942aa0 Connections:
* host: 10.243.129.6 port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Nov 15 11:58:52 2012
** ld 0x1942aa0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1942aa0 request count 1 (abandoned 0)
** ld 0x1942aa0 Response Queue:
Empty
ld 0x1942aa0 response count 0
ldap_chkResponseList ld 0x1942aa0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1942aa0 NULL
ldap_int_select
read1msg: ld 0x1942aa0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 31 contents:
read1msg: ld 0x1942aa0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1942aa0 0 new referrals
read1msg: mark request completed, ld 0x1942aa0 msgid 1
request done: ld 0x1942aa0 msgid 1
res_errno: 1, res_error: <TLS already started>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Operations error (1)
additional info: TLS already started
]# ldapsearch -d 1 -x -b "dc=ibm,dc=com" -H 'ldaps://localhost' -ZZ
ldap_url_parse_ext(ldaps://localhost)
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com,
issuer: /C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar@sap.com
TLS certificate verification: Error, self signed certificate
TLS certificate verification: depth: 0, err: 18, subject:
/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com,
issuer: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
TLS: unable to get peer certificate.
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x2172aa0 msgid 1
wait4msg ld 0x2172aa0 msgid 1 (infinite timeout)
wait4msg continue ld 0x2172aa0 msgid 1 all 1
** ld 0x2172aa0 Connections:
* host: localhost port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Nov 15 12:14:16 2012
** ld 0x2172aa0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x2172aa0 request count 1 (abandoned 0)
** ld 0x2172aa0 Response Queue:
Empty
ld 0x2172aa0 response count 0
ldap_chkResponseList ld 0x2172aa0 msgid 1 all 1
ldap_chkResponseList returns ld 0x2172aa0 NULL
ldap_int_select
read1msg: ld 0x2172aa0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 31 contents:
read1msg: ld 0x2172aa0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x2172aa0 0 new referrals
read1msg: mark request completed, ld 0x2172aa0 msgid 1
request done: ld 0x2172aa0 msgid 1
res_errno: 1, res_error: <TLS already started>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Operations error (1)
additional info: TLS already started
slapd.conf
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /apps/openldap/var/run/slapd.pid
argsfile /apps/openldap/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /app/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
#access to *
#by self write
#by users read
#by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
### logging ###
logfile /apps/logs/ldap
loglevel 16640
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=ibm,dc=com"
# Restrict userPassword to be used for authentication only, but allow users to
modify
# their own passwords.
access to attrs=userPassword
by self write
by * auth
# Simple ACL granting read access to the world
access to *
by * read
rootdn "cn=Manager,dc=ibm,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}dXDFS3TAzYf8DrDSYWY
################## SSL ##########################################
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem
TLSCertificateFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem
TLSCertificateKeyFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem
#
####################################################################
#Replication Configuration
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index entryCSN,entryUUID eq
serverid 2
## DR ldap server replication
syncrepl rid=444
provider=ldap://10.x.x.x:636
binddn="cn=Manager,dc=ibm,dc=com"
bindmethod=simple
credentials=xxxxxxxx
starttls=yes
tls_reqcert=never
searchbase="dc=ibm,dc=com"
type=refreshAndPersist
retry="5 5 300 +"
interval=00:00:00:10
syncrepl rid=777
provider=ldap://10.x.x.x:636
binddn="cn=Manager,dc=ibm,dc=com"
bindmethod=simple
credentials=xxxxxxxxx
starttls=yes
tls_reqcert=never
searchbase="dc=ibm,dc=com"
type=refreshAndPersist
retry="5 5 300 +"
interval=00:00:00:10
####
mirrormode true
####ache Entries #####
cachesize 3000000
lastmod on
checkpoint 128 15
concurrency 100
#database monitor
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /apps/openldap/var/openldap-data
# Indices to maintain
#index objectClass eq
index mail,uid,postalCode,smail,channelType,channelValue,answer,behavName,objectclass,tokenID,type
eq
index givenName,sn,city,question,behavValue,cn,extName sub
index displayName approx
my ldap.conf file
URI ldaps://localhost
BASE dc=ibm,dc=com
ssl start_tls
ssl on
tls_checkpeer no
TLS_REQCERT allow
tls_cacertfile /apps/openldap/etc/openldap/certs/mmprodam04.pem
tls_cacertdir /apps/openldap/etc/openldap/certs
I am using self signed certificate,
Please let me know if i am going wrong.