[Date Prev][Date Next] [Chronological] [Thread] [Top]

slurpd replication over TLS


Having a few problems trying to get secure replication working.

I've compiled 2.0.23 from source. Two servers behind a firewall have been working quite well for a year using 2.0.23 since I built them, as a backend to postfix and also providing auth for web and our CVS.

Now I have a rackmount box out on the Internet and I'm trying to replicate to it over TLS. No dice.

I saw this:


You cannot use self-signed certificates for TLS services. You must create one self-signed CA certificate and use that certificate to sign your server certificates. On each machine, you must install the CA certificate and tell the LDAP library where the CA cert is. You must also install and configure the individual server certificates for each server.

So I set up a CA and went through the process of signing the certificate, but I still get "Can't contact LDAP server" in the debug output from slurpd, even when straight afterward I can run ldapsearch from the same command line that I ran slurpd from, to the same server over ldaps, and it works fine.

On the slave server I see this debug output when slurpd tries to connect:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:634

Replica stanza looks like this on the master:
replica host=metacortex.humanfactors.uq.edu.au:636 tls=yes
        bindmethod=simple credentials=changed_to_protect_the_guilty

Now, I'm not sure how to "tell the LDAP library where the CA cert is". I've tried putting TLS_CACERT in /etc/ldap.conf, but I'm not convinced that slurpd reads that file as it gets its configuration from /etc/slapd.conf.

Or the problem could be unrelated to the certs.

Any help appreciated.

Sarah Hollings