[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slurpd over SSL

Hello List,
I'll appreciate your help on the following issue.
I'm trying to set up slurpd replication over ssl.
There is one master and only one slave on my lab env.
Both are serving only ssl enabled clients pretty smoothly that
the ldapsearch from one connects, searchs, and adds to each other,
using CA Issued Certificate, just like the OpenLDAP TLS/SSL How-to
and like many Howard Chu answer posts :-)
So, it does not seems to be related to using self signed,
but I'm getting this slurpd debbug messages:
"Error: ldap_start_tls failed: Can't contact LDAP server (81)"
Also, the replication runs finely on ldap:// manner (simple
and insecure)
I read a paragraph on item 7.0 of the mentined how to wich says:
"Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error"
So, is that a way to start slurpd directly with ssl ?
Is that the point or I'd missed some thig ?
# My ldap.conf:
URI   ldaps://savatage.heavymetal.com
BASE   o=heavymetal.com
TLS_CACERT      /var/myca/demoCA/cacert.pem
TLS_REQCERT     never
# My slapd.conf (the relevant part):
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include         /usr/etc/openldap/schema/core.schema
include         /usr/etc/openldap/schema/cosine.schema
include         /usr/etc/openldap/schema/nis.schema
include         /usr/etc/openldap/schema/inetorgperson.schema
include         /usr/etc/openldap/schema/misc.schema
include         /usr/etc/openldap/schema/openldap.schema
access to *
        by self write
        by users read
        by anonymous auth
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /usr/var/openldap-data/cacert.pem
TLSCertificateFile      /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile   /usr/var/openldap-data/serverkey.pem
TLSVerifyClient         never
database        ldbm
replica         host=angra.heavymetal.com:636 tls=critical
                bindmethod=simple credentials=mypass
replogfile      /usr/var/openldap-data/replog/changes.log
suffix          "o=heavymetal.com"
rootdn          "cn=metallord,o=heavymetal.com"
rootpw          mypass
directory       /usr/var/openldap-data
index   objectClass     eq
# ldapsearch results:
ldapsearch -x -D "cn=metallord,o=heavymetal.com" -W \
-b o=heavymetal.com -s sub -H ldaps://angra.heavymetal.com \
-v '(objectclass=*)'
ldap_initialize( ldaps://angra.heavymetal.com )
Enter LDAP Password:
filter: (objectclass=*)
requesting: ALL
# extended LDIF
# LDAPv3
# base <o=heavymetal.com> with scope sub
# filter: (objectclass=*)
# requesting: ALL

# heavymetal.com
dn: o=heavymetal.com
objectClass: top
objectClass: organization
o: heavymetal.com
description: Heavy Metal Land
# computers, heavymetal.com
dn: ou=computers,o=heavymetal.com
ou: computers
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

Yahoo! Mail - 6MB, anti-spam e antivírus gratuito. Crie sua conta agora!