[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slurp SSL replication


I'm trying to set up slurp replication, which is something I haven't done before. I have it working fine over port 389 with plaintext, but for obvious security reasons I would like to have that traffic encrypted. I'm using openldap 2.0.27, which I'm told doesn't support the replica uri=ldaps://host.domain.tld/ syntax, so my master slapd.conf looks like this:

replica host=x.ammasso.com:636 tls=yes bindmethod=simple credentials=secret binddn="cn=x,o=Ammasso,c=US"

Again, this works fine if I do it over port 389, but with the above config it fails. The debug output on the slave looks like this:

daemon: new connection on 8
daemon: conn=264 fd=8 connection from IP=x.x.x.x:40468 (IP= accepted.
daemon: added 8r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 8r
daemon: read activity on 8
connection_get(8): got connid=264
connection_read(8): checking for input on id=264
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 30 1d 02 01 01 77 18 80 16 31 2e 0....w...1.
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:585
connection_read(8): TLS accept error error=-1 id=264, closing
connection_closing: readying conn=264 sd=8 for close
connection_close: conn=264 sd=8
daemon: removing 8

(Some irrelevant items have been x'ed out for the sake of privacy.)

What's with the TLS error? I'm sure the certificates are fine because I'm able to query with ldaps to both servers.

Mike Nuss