[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slurpd replication over TLS

It probably has nothing to do with your certs. TLS negotiates an SSL/TLS
session over the regular LDAP port (389), it does not work with an LDAPS
listener (port 636).

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Sarah Hollings

> Hi,
> Having a few problems trying to get secure replication working.
> I've compiled 2.0.23 from source.  Two servers behind a firewall have
> been working quite well for a year using 2.0.23 since I built
> them, as a
> backend to postfix and also providing auth for web and our CVS.
> Now I have a rackmount box out on the Internet and I'm trying to
> replicate to it over TLS.  No dice.
> I saw this:
> http://www.openldap.org/lists/openldap-software/200207/msg00065.html
> <blockquote>
> You cannot use self-signed certificates for TLS services. You must
> create one self-signed CA certificate and use that
> certificate to sign
> your server certificates. On each machine, you must install the CA
> certificate and tell the LDAP library where the CA cert is. You must
> also install and configure the individual server certificates
> for each
> server.
> </blockquote>
> So I set up a CA and went through the process of signing the
> certificate, but I still get "Can't contact LDAP server" in the debug
> output from slurpd, even when straight afterward I can run ldapsearch
> from the same command line that I ran slurpd from, to the same server
> over ldaps, and it works fine.
> On the slave server I see this debug output when slurpd tries
> to connect:
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:634
> Replica stanza looks like this on the master:
> replica host=metacortex.humanfactors.uq.edu.au:636 tls=yes
>          binddn="cn=Replicator,dc=humanfactors,dc=uq,dc=edu,dc=au"
>          bindmethod=simple credentials=changed_to_protect_the_guilty
> Now, I'm not sure how to "tell the LDAP library where the CA
> cert is".
> I've tried putting TLS_CACERT in /etc/ldap.conf, but I'm not
> convinced
> that slurpd reads that file as it gets its configuration from
> /etc/slapd.conf.
> Or the problem could be unrelated to the certs.
> Any help appreciated.
> Sarah Hollings