[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multimaster SASL/EXTERNAL (TLS client cert) error

Gavin Henry Ãrta:
> ----- "GÃmes GÃza" <geza@kzsdabas.hu> wrote:
>> Hi everyone!
>> I've set up two test ldap servers (2.4.10) with multimaster
>> replication.
>> With simple binds it is working well.
>> I've set up a client certificate (everything CA signed, no
>> self-signing
>> ;-) ) to use with SASL/EXTERNAL authentication.
>> Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config
>> backend, set up an .ldaprc file and with:
>> su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh
>> (I'm running slapd as openldap user and group)
>> I get:
>> SASL/EXTERNAL authentication started
>> SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
>> Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
>> SASL SSF: 0
>> dn:cn=config
>> just like expected (ldapsearch and friends are also working on both
>> sides and cross).
>> Just to be sure I've exported the LDAPCONF variable in the slapd
>> startup
>> script.
>> But syncrepl doesn't work!
>> On the logs (olcLogLevel=-1):
>> slap_client_connect: URI=ldaps://first-or-second-ldap-server
>> ldap_sasl_interactive_bind_s failed (-6)
>> connection_read(20): unable to get TLS client DN, error=49 id=23
> Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:

BASE     dc=kzsdabas,dc=hu
URI        ldaps://first-ldap-server ldaps://second-ldap-server
TLS_CACERT    /etc/ssl/certs/ca.crt
TLS_CERT    /etc/ldap/syncrepl.crt
TLS_KEY        /etc/ldap/syncrepl.key
TLS_REQCERT    demand
SASL_MECH    external
SASL_AUTHCID    cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU

Just to be sure now I've tried to change the providers to ldap://...,
but without luck. Now it just reports in the logs:

slap_client_connect: URI=ldaps://first-or-second-ldap-server
ldap_sasl_interactive_bind_s failed (-6)

Thanks for any idea.