[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Slurpd over SSL

Port 636 is the default LDAPS (LDAP over SSL) port. As already noted, you
cannot use the LDAP StartTLS request over SSL. If you want slurpd to use SSL,
you must not specify TLS in the replica configuration.

If you're using OpenLDAP 2.1.23 you can use a URI in the replica
configuration, and specify ldaps there. e.g., instead of
	replica host=foo.bar.domain:636
	replica uri=ldaps://foo.bar.domain

If you're using an older release, you'll need to set TLS=hard in an ldaprc
file. The ldaprc file can either be in the slurpd user's home directory, or
in the slurpd process's working directory.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Estevam Viragh

Hello List,

I'll appreciate your help on the following issue.
I'm trying to set up slurpd replication over ssl.
There is one master and only one slave on my lab env.
Both are serving only ssl enabled clients pretty smoothly that
the ldapsearch from one connects, searchs, and adds to each other,
using CA Issued Certificate, just like the OpenLDAP TLS/SSL How-to
and like many Howard Chu answer posts :-)
So, it does not seems to be related to using self signed,
but I'm getting this slurpd debbug messages:
"Error: ldap_start_tls failed: Can't contact LDAP server (81)"

Also, the replication runs finely on ldap:// manner (simple
and insecure)

I read a paragraph on item 7.0 of the mentined how to wich says:
"Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error"
So, is that a way to start slurpd directly with ssl ?
Is that the point or I'd missed some thig ?

# My ldap.conf:

URI   ldaps://savatage.heavymetal.com
BASE   o=heavymetal.com
TLS_CACERT      /var/myca/demoCA/cacert.pem
TLS_REQCERT     never

# My slapd.conf (the relevant part):

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include         /usr/etc/openldap/schema/core.schema
include         /usr/etc/openldap/schema/cosine.schema
include         /usr/etc/openldap/schema/nis.schema
include         /usr/etc/openldap/schema/inetorgperson.schema
include         /usr/etc/openldap/schema/misc.schema
include         /usr/etc/openldap/schema/openldap.schema
access to *
        by self write
        by users read
        by anonymous auth
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /usr/var/openldap-data/cacert.pem
TLSCertificateFile      /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile   /usr/var/openldap-data/serverkey.pem
TLSVerifyClient         never
database        ldbm
replica         host=angra.heavymetal.com:636 tls=critical
                bindmethod=simple credentials=mypass
replogfile      /usr/var/openldap-data/replog/changes.log
suffix          "o=heavymetal.com"
rootdn          "cn=metallord,o=heavymetal.com"
rootpw          mypass
directory       /usr/var/openldap-data
index   objectClass     eq

# ldapsearch results:

ldapsearch -x -D "cn=metallord,o=heavymetal.com" -W \
-b o=heavymetal.com -s sub -H ldaps://angra.heavymetal.com \
-v '(objectclass=*)'
ldap_initialize( ldaps://angra.heavymetal.com )
Enter LDAP Password:
filter: (objectclass=*)
requesting: ALL
# extended LDIF
# LDAPv3
# base <o=heavymetal.com> with scope sub
# filter: (objectclass=*)
# requesting: ALL

# heavymetal.com
dn: o=heavymetal.com
objectClass: top
objectClass: organization
o: heavymetal.com
description: Heavy Metal Land
# computers, heavymetal.com
dn: ou=computers,o=heavymetal.com
ou: computers
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2