[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with SASL External



Am Samstag, 3. März 2007 00:04 schrieb Pierangelo Masarati:

> Dieter Kluenter wrote:

> > Hi,

> >

> > Angela Gavazzi <edv@goetheanum.ch> writes:

> >> Hallo!

> >>

> >> I'm trying to set up a replication with syncrepl and saslmech external

> >> and it wont succeed.

> >> I was reading a lot but I really don't see where the problem is now and

> >> don't know how to continue. So I really would appreciate if somebody

> >> could point me to the probable error.

> >> Please let me know if you need more infos.

> >

> > [...]

> >

> >> *****************************************************************

> >> slave:

> >>

> >> ...

> >> overlay syncprov

> >> syncrepl rid=001

> >> provider=ldap://erde.aag:389

> >> searchbase="dc=aag"

> >> type=refreshOnly

> >> filter="objectClass=*"

> >> attrs="*,+"

> >> schemachecking=off

> >> scope=sub

> >> interval=00:00:01:00

> >> updatedn "cn=repl,dc=aag"

> >> updateref="ldap://erde.aag:389"

> >> bindmethod=sasl

> >> saslmech=EXTERNAL

Hi, first I updated to 2.3.32 as Quanah wrote.

> > Is the relevant ldaprc pointing to the certificate?

... from man

Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file.

The file ldaprc in the current working directory is also used.

So I thought that ldap.conf is enough.

Apologize the question:

Where should ldaprc/.ldaprc be, if the ldapuser has no shell?

Or what's the current working directory from openldap?

The homedir from ldapuser is /usr/local/ldap. I put the ldaprc therein, I tried also /etc/ldap and tried to start slapd with -r / - only for testing - and put it in there, but it makes no difference.

That's my ldap.conf

BASE dc=aag

URI ldap://erde.aag:389

TLS_CACERT /etc/ldap/certs/cacert.pem

TLS_CERT /etc/ldap/certs/mond.aag_cert.pem

TLS_KEY /etc/ldap/certs/mond.aag_key.pem

> >

> >> authz-regexp

> >> "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische

> >> Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch"

> >> "ldap:///dc=aag??one? (cn=repl)"

> >

> > What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?

ldapwhoami -Yexternal -ZZ ldap://mond.aag

SASL/EXTERNAL authentication started

SASL username: emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH

SASL SSF: 0

dn:email=edv@goetheanum.ch,cn=mond.aag,ou=goetheanum,o=allgemeine anthroposophische gesellschaft,l=dornach,st=switzerland,c=ch

Result: Success (0)

>

> If the above works, I think you'll need to add

>

> starttls=critical

I did it and got this now:

TLS certificate verification: depth: 0, err: 18, subject: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch, issuer: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch

TLS certificate verification: Error, self signed certificate

tls_write: want=7, written=7

0000: 15 03 01 00 02 02 30 ......0

TLS trace: SSL3 alert write:fatal:unknown CA

TLS trace: SSL_connect:error in SSLv3 read server certificate B

TLS trace: SSL_connect:error in SSLv3 read server certificate B

TLS: can't connect.

Error: rid 001 ldap_start_tls failed (-11)

So I understand that openldap doesn't recognize the CA, but at the moment I don't know how to solve this.

It makes no difference if I start slapd as root, even if my ldapsearch as root works. I'm sure all cert and key files are accessible by the ldapuser.

Thank's to all

Angela

> to your syncrepl configuration, and make sure TLS is configured OK both

> in the producer (see slapd.conf(5)) and in the consumer (see

> ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the

> user-specific ldap.conf(5),

see below*

> and that TLS_REQCERT in the consumer's ldap.conf(5)

TLS_REQCERT require

> and TLSVerifyClient in the producer's slapd.conf(5) are set

TLSVerifyClient demand

> to something like "demand", so that certificates are checked for sure by

> both peers.

>

> p.

>

>

>

> Ing. Pierangelo Masarati

> OpenLDAP Core Team

>

> SysNet s.n.c.

> Via Dossi, 8 - 27100 Pavia - ITALIA

> http://www.sys-net.it

> ------------------------------------------

> Office: +39.02.23998309

> Mobile: +39.333.4963172

> Email: pierangelo.masarati@sys-net.it

> ------------------------------------------