[Date Prev][Date Next]
Re: TLS/SSL failover problem
Thanks for the response. The slapd args are:
/usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:///
Paths to certificates are setup properly in /etc/openldap/slapd.conf:
I'm using a self-signed certificate, so I have set
The only other SSL/TLS related setting I have in my /etc/ldap.conf is:
With no failover in place SSL/TLS work just fine ... I can confirm that
by connecting to the ldap server over SSL with LDAP Browser/Editor and
by connecting with TLS using GQ.
It's only after switching to the failover server, and trying to switch
back to the primary ldap server that I run into a problem.
Maybe I need to use an explicit TLS_CACERT or TLS_CACERTDIR (I'm using
more than 1 CA since each ldap server uses a self-signed certificate)
How would I set logging in /etc/openldap/slapd.conf so that I could see
if it was a certificate problem?
On Wed, 2004-03-10 at 01:21, Dieter Kluenter wrote:
> Doug Wilson <email@example.com> writes:
> > I've got an OpenLDAP master server and an OpenLDAP slave server. I use
> > TLS to encrypt replication traffic between them and it works just fine.
> > I can also connect to each of them with TLS or SSL capable clients. SSL
> > connections with LDAP Browser\Editor v2.8.2
> > (http://www.iit.edu/~gawojar/ldap/), and TLS connections with GQ
> > (http://biot.com/gq/), so I know SSL & TLS are working properly.
> > When I tried to setup a failover configuration, however, I ran into all
> > sorts of problems.
> > Here's my understanding of how to configure failover ...
> > I have ssl set to off in /etc/ldap.conf. That's fine as long as I'm
> > authenticating via localhost, but if the local ldap server dies, and
> > nss_ldap and pam_ldap fall back on using ldap2.virtc.com, all of the
> > traffic will be un-encrypted across the network. That's bad, so I
> > wanted to turn on TLS or ssl.
> > I tried this in /etc/ldap.conf:
> > host ldap1.virtc.com ldap2.virtc.com
> > ssl on
> > With that setting, initial failover works. If I shut down the ldap
> > server on ldap1.virtc.com, nss_ldap and pam_ldap successfully connect to
> > ldap2.virtc.com over ssl for auth information.
> > However, when I restart the ldap server on ldap1.virtc.com, nss_ldap and
> > pam_ldap don't properly revert to using ldap1.virtc.com. In fact, a
> > 'getent passwd' on ldap1.virtc.com core dumps after providing the
> > contents of /etc/passwd. Here's what the output looks like:
> > Very curious since I'm using basic authentication, not sasl.
> > I can fix this by setting
> > ssl off
> > in /etc/ldap.conf, restarting ldap on ldap1.virtc.com, and then setting
> > ssl on
> > in /etc/ldap.conf.
> > Anybody know what's going on here?
> What are your slapd setup parameters?
> ./slapd -h "ldap:/// ldaps:///"
> Are the paths to certificates set properly in /etc/ldap.conf and
Project Director - Information Systems
Virtual Technology Corporation