[Date Prev][Date Next]
Re: Multimaster SASL/EXTERNAL (TLS client cert) error
Gavin Henry Ãrta:
> ----- "GÃmes GÃza" <email@example.com> wrote:
>> Hi everyone!
>> I've set up two test ldap servers (2.4.10) with multimaster
>> With simple binds it is working well.
>> I've set up a client certificate (everything CA signed, no
>> ;-) ) to use with SASL/EXTERNAL authentication.
>> Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config
>> backend, set up an .ldaprc file and with:
>> su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh
>> (I'm running slapd as openldap user and group)
>> I get:
>> SASL/EXTERNAL authentication started
>> SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
>> Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
>> SASL SSF: 0
>> just like expected (ldapsearch and friends are also working on both
>> sides and cross).
>> Just to be sure I've exported the LDAPCONF variable in the slapd
>> But syncrepl doesn't work!
>> On the logs (olcLogLevel=-1):
>> slap_client_connect: URI=ldaps://first-or-second-ldap-server
>> ldap_sasl_interactive_bind_s failed (-6)
>> connection_read(20): unable to get TLS client DN, error=49 id=23
> Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
URI ldaps://first-ldap-server ldaps://second-ldap-server
SASL_AUTHCID cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
Just to be sure now I've tried to change the providers to ldap://...,
but without luck. Now it just reports in the logs:
ldap_sasl_interactive_bind_s failed (-6)
Thanks for any idea.