[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err

RUMI Szabolcs <rumi_ml@rtfm.hu> writes:

> Hello!
> On Thu, 20 Dec 2007 11:03:44 -0500
> "Chris G. Sellers" <chris.sellers@nitle.org> wrote:
>> I have setup sync replication on two OpenLDAP servers.  I have it  
>> successfully working via ldap://:389
>> I then setup TLS for SSL connections.  I used a self signed cert  
>> (using the OpenLDAP how-to) as well as a CAsigned cert from  
>> cacert.org.   I've setup the ca.crt in the ldap.conf file on both
>> the master and slave.  I've also setup the ca.cert in the TLS for
>> the master server that the sync repl host connects to.
>> I've tested the cert with a connection via ldap -Z and -d debug
>> option and seen that the cert appears to be validated.
>> So, when I turn on ldaps:// for the syncrepl section of the slave  
>> server, and use port 389 I get a bind error

ldaps://  is a server initiated tls session, while starttls on ldap://
is a client initiated tls session.
Don't forget that syncrepl is a client connection to the server.


>> which suggests that the connection could not be made on port 389 via  
>> TLS.   I can't figure out how to tell the repl connection to send a  
>> certificate.   Do I have to setup a user in LDAP with a cert?  Do I  
>> put a client cert into the syncrepl section of the slapd.conf file
>> on the slave?   Please advise.

as already mentioned, syncrepl is a client operation, thus
ldap.conf(5) would be applicable, but slapd.conf(5) has in addition
configuration parameters, just search for syncrepl.

> Indeed, I have also found that in the OpenLDAP documentation there
> are no directions about what kind of cert should be used for a syncrepl
> consumer, nor about how they could be specified - one may guess that
> one has to use the tls-related suboptions of the syncrepl option but
> there are no directions, no examples, no nothing. And then it does not
> work in the first place and does not have usable log or even debug
> output either...

read the docs carefully! And think twice! 

> When I set up normal SSL with provider="ldaps://<host>:636" then I
> simply get the same error you're getting and even with debug mode
> I could not get any details about the TLS/SSL handshake or what
> exactly the problem is.

First test with openssl tools, like s_client(1). 

> IMHO it is extremely harsh how the self-signed certs are treated by
> OpenLDAP. In the majority of cases this is forcing people (after many
> hours of struggling) to use "TLS_REQCERT never" or similar settings,
> which ends up being a lot more insecure than it would be to accept a
> known self-signed cert... Not to mention that the syncrepl suboption
> "tls_reqcert=never" is apparently ignored so practically I've found
> that syncrepl is currently inoperable with any form of encryption.
> Is there anybody who could tell me what this is good for?

I do understand your frustration, but that is mostly due to not
reading the proper documentation. Forget about google, the only
relevant source of information is:

I have no problems creating a valid certificate chain with the openssl
tools, just modify openssl.cnf to your requirements:

./CA.pl -newca
./Ca.pl -newreq
./CA.pl -sign
openssl rsa -in newreq.pem -out mykey.pem
mv newcert.pem  mycert.pem
./CA.pl -verify mycert.pem

Dieter Klünter | Systemberatung