[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP-2.1.29 Replication over SSL



Thanks for pointing me in the right direction.

Here's the configuration that works for me:

Master:
slapd.conf
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
...
replica uri=ldaps://slave.domain.com
        binddn="uid=Replicator,ou=someOU,dc=domain,dc=com"
        bindmethod=simple
        credentials=password

Slave
slapd.conf
TLSCACertificateFile /usr/var/openldap-data/cacert.pem (same file as on 
the master)
TLSCertificateFile /usr/var/openldap-data/client.cert.pem (the cert I 
created for the 'client' using the same CA)
TLSCertificateKeyFile /usr/var/openldap-data/client.key.pem ( the key I 
created for the 'client' using the same CA)
...
updatedn "uid=Replicator,ou=someOU,dc=domain,dc=com"
updateref ldaps://master.domain.com

Replication works fine over port 636.

Referrals still don't work over port 636
I changed the SLAVE updateref to :

updateref ldap://master.domain.com:636

And this works for referrals over port 636 (ssl).

Joe Morin




Howard Chu <hyc@symas.com> 
10/21/2004 07:21 PM

To
jmorin@dominiondiagnostics.com
cc
OpenLDAP-software@OpenLDAP.org
Subject
Re: OpenLDAP-2.1.29 Replication over SSL






In the usual case any company/organization/whatever should only have one 
CA. You shouldn't create a separate CA cert for each server, just use 
one CA and create separate server certs for each server. Your setup 
makes no sense.

jmorin@dominiondiagnostics.com wrote:

>I know this question has been posed previously, but I haven't been able 
to 
>configure replication via SSL successfully.
>
>Here's my environment:
>
>One Master server
>One Slave server
>Both running OpenLDAP 2.1.29
>
>Master configuration:
>
>I followed the "OpenLDAP SSL/TLS How-To" 
>(http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#3.0)
>instructions to create my own CA Issued Certificate and server cert and 
>server key.
>I also created a client cert and key.
>
>For Master:
>cp demoCA/cacert.pem /usr/var/openldap-data/MASTER-cacert.pem
>mv newcert.pem /usr/var/openldap-data/MASTER-servercrt.pem
>mv newreq.pem /usr/var/openldap-data/MASTER-serverkey.pem
>
>For client: ( after creating client certificate)
>mv newcert.pem ldap.slave.client.cert.pem
>mv newreq.pem ldap.slave.client.key.pem
>
>then added the following to my slapd.conf on the master
>
>TLSCACertificateFile /usr/var/openldap-data/MASTER-cacert.pem
>TLSCertificateFile /usr/var/openldap-data/MASTER-servercrt.pem
>TLSCertificateKeyFile /usr/var/openldap-data/MASTER-serverkey.pem
>
>then added the following to the ldap.conf file on the client (slave)
>TLS_CACERT /usr/var/openldap-data/MASTER.cacert.pem
>TLS_REQCERT demand
>added the following to the ldaprc file
>TLS_CERT /usr/var/openldap-data/ldap.slave.client.cert.pem
>TLS_KEY /usr/var/openldap-data/ldap.slave.client.key.pem
>
>At this point the Master is set up to receive LDAP traffic over port 636, 

>the client ( in this case the slave machine) can connect just fine using 
>ldapsearch, ldapmodify, etc.
>
>I then set up the SLAVE server to accept ldap traffic via SSL is the same 

>manner.
>
>Create the ca on the SLAVE
>Create the SLAVE-cacert.pem, SLAVE-servercrt.pem, and 
SLAVE-serverkey.pem. 
> 
>Create a client cert and key.  ldap.master.client.cert.pem and 
>ldap.master.client.key.pem
>
>Add the following to the SLAVE servers slapd.conf file
>TLSCACertificateFile /usr/var/openldap-data/SLAVE-cacert.pem
>TLSCertificateFile /usr/var/openldap-data/SLAVE-servercrt.pem
>TLSCertificateKeyFile /usr/var/openldap-data/SLAVE-serverkey.pem
>
>then add the following to the ldap.conf file on the master
>TLS_CACERT /usr/var/openldap-data/SLAVE-cacert.pem
>TLS_REQCERT demand
>add the following to the ldaprc file
>TLS_CERT /usr/var/openldap-data/ldap.master.client.cert.pem
>TLS_KEY /usr/var/openldap-data/ldap.master.client.key.pem
>
>Again, the master can connect to the slave (via SSL) using ldapsearch, 
>etc.
>
>I set up the MASTER slapd.conf for replication
>
>replogfile      /var/lib/ldap/master-slapd.replog
>replica uri=ldaps://slave.domain.com
>        binddn="uid=Replicator,ou=someOU,dc=domain,dc=com"
>        bindmethod=simple
>        credentials=password
>
>configure the SLAVE slapd.conf for replication/referrals
>
>updatedn "uid=Replicator,ou=someOU,dc=domiain,dc=com"
>updateref ldaps://master.domain.com
>
>At this point I restarted both LDAP servers and was able to connect to 
>each one using ldapsearch from some client via SSL.
>Referrals work fine (although NOT over port 636), but replication does 
>NOT.
>If I switch the 'replica uri=ldap://servername' is works fine, on port 
>389.
>
>I read in the list by Howard Chu:
>"Since you have two different self-signed certs, one for master and one 
>for
>slave,
>you should cat them both into a single file. Then, in slapd.conf of both 
>the
>master and slave you should specify TLSCACertificateFile with the file 
you
>just created."
>
>So I concatenated both the slave and master cacert.pem files into ONE 
file 
>(/usr/var/openldap-data/cacert.pem) and changed BOTH the master and slave 

>slapd.conf files to use
>
>TLSCACertificateFile /usr/var/openldap-data/cacert.pem
>
>it's the same file on both machines, it's the two cacert.pem files 
>concatentated together into one file. everything else remains the same.
>
>Restart ldap on both servers.
>
>I can connect from slave to master via ssl using ldapsearch.
>I can connect from mast to slave via ssl using ldapsearch 
>(ex. ldapsearch -LLL -H ldaps://master.domain.com .......)
>
>referrals still work, but replication does not.
>
>I'm receiving these messages on the master server in the 
/var/log/messages 
>file
>
>slurpd: Initializing session to ldaps://slave.domain.com
>slurpd: bind to slave.domain.com:636 as 
>uid=Replicator,ou=someOU,dc=domain,dc=com (simple)
>slurpd: TLS: can't connect.
>slurpd: Error: ldap_simple_bind_s for slave.domain.com:636 failed: Can't 
>contact LDAP server
>
>On the slave I'm receiving (in the ldap.log file)
>slapd[7478]: conn=45 fd=8 ACCEPT from IP=192.168.100.1:35608 
>(IP=0.0.0.0:636)
>slapd[7478]: connection_get(8)
>slapd[7478]: connection_get(8)
>slapd[7478]: conn=45 fd=8 closed
>
>using ethereal on the slave server I see the master trying to initiate an 

>SSL connection, but it's getting a TLS handshake failure.
>
>Can someone tell me where I'm going wrong?
>
>I'm guessing it's my SSL configuration, but I'm not sure where to start.
>Do I need to issue ALL the certificates and keys from ONE ca?  If so 
which 
>certs/keys go where?
>
>Thank you for your anticipated help!
>
>Joe Morin
>
>
>CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the 
sole use of the individual to whom it is addressed. This message is 
confidential and may contain information that is privileged, confidential 
and is exempt from disclosure under applicable law. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you have 
received this e-mail in error, please notify the sender by reply e-mail 
and destroy this message and its attachments.
>
>
>
> 
>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support




CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole use of the individual to whom it is addressed. This message is confidential and may contain information that is privileged, confidential and is exempt from disclosure under applicable law. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and destroy this message and its attachments.