[Date Prev][Date Next] [Chronological] [Thread] [Top]

secure replication (slurpd, TLS)

To: <openldap-software@OpenLDAP.org>
Subject: secure replication (slurpd, TLS)
From: "Serguei Alifanov" <alifanov@financial.com>
Date: Fri, 16 Nov 2001 10:51:23 +0100

Dear Sirs,

please help me!
I would like to configure secure replication.
The clients work fine over TLS (i.e. PAM from PADL Software). Connection has
encrypted.
But it doesn't work for "slurpd"!?! (could be I am doing something wrong...)
I have a latest release of the OpenLDAP 2.0.18 and OpenSSL 0.9.6a compiled
under the Linux, kernel: 2.4.9.
If I delete port number 636 from config file - everething is OK!
Replication works over the non encrypted connection (port 389).

See the part of the master slapd.conf:
----------------------------------------8<----------------------------------
-----

replica      host=slave.financial.com:636
                tls=yes
                binddn="cn=Manager,o=financial.com"
                bindmethod=simple
                credentials=somepass

----------------------------------------8<----------------------------------
-----


Im starting:

/usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9

And you can see succsessful connection from the PAM client:

----------------------------------------8<----------------------------------
-----

connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data

----------------------------------------8<----------------------------------
-----

The next part is a connection from slurpd:

----------------------------------------8<----------------------------------
-----

connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:565
connection_read(10): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=10 for close
connection_close: conn=1 sd=10
daemon: removing 10
----------------------------------------8<----------------------------------
-----

Many regards,
Serguei

Follow-Ups:
- Re: secure replication (slurpd, TLS)
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: Replication of new suffix not possible?
Next by Date: Re: Replication of new suffix not possible?
Index(es):
- Chronological
- Thread