[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with SASL External

Dieter Kluenter wrote:
> Hi,
> Angela Gavazzi <edv@goetheanum.ch> writes:
>> Hallo!
>> I'm trying to set up a replication with syncrepl and saslmech external and it 
>> wont succeed.
>> I was reading a lot but I really don't see where the problem is now and don't 
>> know how to continue. So I really would appreciate if somebody could point me 
>> to the probable error.
>> Please let me know if you need more infos.
> [...]
>> *****************************************************************
>>  slave:
>> ...
>> overlay syncprov
>> syncrepl rid=001
>>         provider=ldap://erde.aag:389
>>         searchbase="dc=aag"
>>         type=refreshOnly
>>         filter="objectClass=*"
>>         attrs="*,+"
>>         schemachecking=off
>>         scope=sub
>>         interval=00:00:01:00
>>         updatedn "cn=repl,dc=aag"
>>         updateref="ldap://erde.aag:389";
>>         bindmethod=sasl
>>         saslmech=EXTERNAL
> Is the relevant ldaprc pointing to the certificate?
>> authz-regexp
>>         "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische 
>> Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one?
>> (cn=repl)"
> What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?

If the above works, I think you'll need to add


to your syncrepl configuration, and make sure TLS is configured OK both
in the producer (see slapd.conf(5)) and in the consumer (see
ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the
user-specific ldap.conf(5), and that TLS_REQCERT in the consumer's
ldap.conf(5) and TLSVerifyClient in the producer's slapd.conf(5) are set
to something like "demand", so that certificates are checked for sure by
both peers.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it