[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8302) The chain-tls failure

To: openldap-its@OpenLDAP.org
Subject: (ITS#8302) The chain-tls failure
From: benhuang@icil.net
Date: Thu, 05 Nov 2015 11:27:00 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Ben Huang
Version: 2.4.37
OS: Ubuntu 12.04.4 LTS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (202.130.86.130)


Two servers: Provider (A public IP) and Consumer (A private IP) both running
slap
2.4.37 and ubuntu 12.04. Replica is a replication partner of Provider using
syncrepl. Replication and TLS is working fine. When I attempt to add a chain
overlay
to Replica to send all writes over to the Privder, I cannot enable TLS from the
consumer to the ldap Provider.

Here is my overlay config using the rootDN and TLS (on Replica):

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b
olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE

dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbStartTLS: none  starttls=no
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0

dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {1}ldap
olcDbURI: "ldap://provider.example.com";
olcDbStartTLS: start starttls=no
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm
 ethod=simple timeout=0 network-timeout=0 binddn="cn=admin,dc=ufreight,dc=com"
  credentials="password" keepalive=0:0:0
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0

With above configuration, I run following command is ok:

#ldapsearch -xLLL -H ldap://ldap-u1.ufreight.com -ZZ uid=testuser dn
dn: uid=testuser,ou=People,dc=ufreight,dc=com

But below errors occurred when I try to add an entry on consumer.

ldapadd -x -D "cn=admin,dc=ufreight,dc=com" -w password -f add_user.ldif -ZZ
adding new entry "uid=test,ou=People,dc=ufreight,dc=com"
ldap_add: Server is unavailable (52)

Consumer LDAP logs:
No 5 1 19:12:28 consumer slapd[6575]: conn=1005 fd=16 ACCEPT from
IP=127.0.0.1:41018 (IP=0.0.0.0:389)
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 STARTTLS
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 RESULT oid= err=0 text=
Nov  5 19:12:30 consumer slapd[6575]: conn=1005 fd=16 TLS established
tls_ssf=128 ssf=128
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 BIND
dn="cn=admin,dc=ufreight,%c=com" method=128
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 BIND
dn="cn=admin,dc=ufreight,dc=com" mech=SIMPLE ssf=0
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 RESULT tag=97 err=0 text=
Nov  5 19:12:32 consumer slapd[6575]: conn=1005 op=2 ADD
dn="uid=test,ou=People,dc=ufreight,dc=com"
Nov  5 19:12:32 consumer slapd[6575]: conn=1005 op=2 RESULT tag=105 err=52
text=
Nov  5 19:12:33 consumer slapd[6575]: conn=1005 op=3 UNBIND
Nov  5 19:12:33 consumer slapd[6575]: conn=1005 fd=16 closed


Provider LDAP logs:
Nov  5 19:11:18 provider slapd[17011]: conn=312743 fd=13 ACCEPT from
IP=140.207.172.138:39551 (IP=0.0.0.0:389)
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 STARTTLS
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 RESULT oid= err=0 text=
Nov  5 19:11:19 provider slapd[17011]: conn=312743 fd=13 closed (TLS negotiation
failure)

Any suggestion what cause TLS negotiation failure? Thank you very much.

Prev by Date: Re: (ITS#8267) contributing a new overlay unicodepw
Next by Date: Re: (ITS#8301) signed/unsigned confusion in ber_get_next()
Index(es):
- Chronological
- Thread