[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err



Hello!

On Thu, 20 Dec 2007 11:03:44 -0500
"Chris G. Sellers" <chris.sellers@nitle.org> wrote:

> I have setup sync replication on two OpenLDAP servers.  I have it  
> successfully working via ldap://:389
> 
> I then setup TLS for SSL connections.  I used a self signed cert  
> (using the OpenLDAP how-to) as well as a CAsigned cert from  
> cacert.org.   I've setup the ca.crt in the ldap.conf file on both
> the master and slave.  I've also setup the ca.cert in the TLS for
> the master server that the sync repl host connects to.
> 
> I've tested the cert with a connection via ldap -Z and -d debug
> option and seen that the cert appears to be validated.
> 
> So, when I turn on ldaps:// for the syncrepl section of the slave  
> server, and use port 389 I get a bind error
> 
> Dec 20 11:01:43 IdP slapd[11717]: do_syncrep1: rid 123  
> ldap_sasl_bind_s failed (-1)
> Dec 20 11:01:43 IdP slapd[11717]: do_syncrepl: rid 123 quitting
> 
> which suggests that the connection could not be made on port 389 via  
> TLS.   I can't figure out how to tell the repl connection to send a  
> certificate.   Do I have to setup a user in LDAP with a cert?  Do I  
> put a client cert into the syncrepl section of the slapd.conf file
> on the slave?   Please advise.

Indeed, I have also found that in the OpenLDAP documentation there
are no directions about what kind of cert should be used for a syncrepl
consumer, nor about how they could be specified - one may guess that
one has to use the tls-related suboptions of the syncrepl option but
there are no directions, no examples, no nothing. And then it does not
work in the first place and does not have usable log or even debug
output either...

This probably tells that I've got the same problem. So far I've only
tried it with a self-signed certificate though but got the same error.
At first I thought it might be something else (ACL issue or something)
but when I set starttls=yes and provider="ldap://<host>:389" then it
apparently fails to TLS handshake and continues without encryption
(despite I've got "security simple_bind=112" in the provider config
which seems to be respected by all LDAP clients except syncrepl) and
finally it does do the replication through an unencrypted connection.
When I set "starttls=critical" with the very same setup and settings
then it fails with a TLS handshake error.

When I set up normal SSL with provider="ldaps://<host>:636" then I
simply get the same error you're getting and even with debug mode
I could not get any details about the TLS/SSL handshake or what
exactly the problem is.

IMHO it is extremely harsh how the self-signed certs are treated by
OpenLDAP. In the majority of cases this is forcing people (after many
hours of struggling) to use "TLS_REQCERT never" or similar settings,
which ends up being a lot more insecure than it would be to accept a
known self-signed cert... Not to mention that the syncrepl suboption
"tls_reqcert=never" is apparently ignored so practically I've found
that syncrepl is currently inoperable with any form of encryption.
Is there anybody who could tell me what this is good for?

Thanks,

Sab