[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL failover problem


Doug Wilson <dwilson@virtc.com> writes:

> I've got an OpenLDAP master server and an OpenLDAP slave server.  I use
> TLS to encrypt replication traffic between them and it works just fine. 
> I can also connect to each of them with TLS or SSL capable clients.  SSL
> connections with LDAP Browser\Editor v2.8.2
> (http://www.iit.edu/~gawojar/ldap/), and TLS connections with GQ
> (http://biot.com/gq/), so I know SSL & TLS are working properly.
> When I tried to setup a failover configuration, however, I ran into all
> sorts of problems.
> Here's my understanding of how to configure failover ...
> I have ssl set to off in /etc/ldap.conf.  That's fine as long as I'm
> authenticating via localhost, but if the local ldap server dies, and
> nss_ldap and pam_ldap fall back on using ldap2.virtc.com, all of the
> traffic will be un-encrypted across the network.  That's bad, so I
> wanted to turn on TLS or ssl.
> I tried this in /etc/ldap.conf:
> host ldap1.virtc.com ldap2.virtc.com
> ssl on
> With that setting, initial failover works.  If I shut down the ldap
> server on ldap1.virtc.com, nss_ldap and pam_ldap successfully connect to
> ldap2.virtc.com over ssl for auth information.
> However, when I restart the ldap server on ldap1.virtc.com, nss_ldap and
> pam_ldap don't properly revert to using ldap1.virtc.com.  In fact, a
> 'getent passwd' on ldap1.virtc.com core dumps after providing the
> contents of /etc/passwd.  Here's what the output looks like:
> Very curious since I'm using basic authentication, not sasl.
> I can fix this by setting
> ssl off
> in /etc/ldap.conf, restarting ldap on ldap1.virtc.com, and then setting
> ssl on
> in /etc/ldap.conf.
> Anybody know what's going on here?

What are your slapd setup parameters?
./slapd -h "ldap:/// ldaps:///"
Are the paths to certificates set properly in /etc/ldap.conf and


Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de