[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS secure connection problem



Hi,

I installed Openldap 2.4.11-1 on two Debian Lenny servers (srv3, srv4), in mastrer-slave configuration. I wanted to create secure connection for syncrepl.
srv3 is the master (provider) and srv4 is the slave (consumer). While I didn't use secure connection, the ldapsearch, and syncrepl worked. After I set up secure connection, syncrepl didn't work.
I start slapd with  -h ldap://127.0.0.1/ ldaps:/// on both servers.

ldapsearch partially works:
Works from srv3:
ldapsearch -H ldaps://srv3.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldaps://srv4.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"

Works from srv4:
ldapsearch -H ldaps://srv4.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"

_Doesn't_work_from_srv4_:
ldapsearch -H ldaps://srv3.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
Enter LDAP Password:  *(after i give the password, it waits 1-2 seconds)*
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On srv3:

/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT  hard
TLS_CACERT /etc/ssl/certs/cacert.pem

slapd.conf:
#########################################
# Global Directives:
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/samba3.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel    conns stats filter
idletimeout    30
modulepath    /usr/lib/ldap
moduleload    back_hdb
moduleload    syncprov
sizelimit unlimited
tool-threads 1
TLSCertificateFile /etc/ssl/certs/srv3cert.pem
TLSCertificateKeyFile /etc/ssl/private/srv3key.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient never

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend        hdb
database        hdb
suffix        "dc=mydomain,dc=site"
rootdn          "cn=adm,dc=mydomain,dc=site"
rootpw          {SSHA}.......
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 100000000 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 524288
dbconfig set_lg_dir             /var/lib/ldap/log
dbconfig set_flags               DB_LOG_AUTOREMOVE
index objectClass    eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index sambaSIDList          eq
index sambaGroupType        eq
index entryCSN,entryUUID eq
lastmod         on
checkpoint      512 30

access to *
    by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read
    by * break

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange
        by dn="cn=admin,dc=mydomain,dc=site" write
        by dn="cn=replicator,dc=mydomain,dc=site" read
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=mydomain,dc=site" write
        by dn="cn=replicator,dc=mydomain,dc=site" read
        by self write
        by * read

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

On srv4:
/etc/ldap/ldap.conf:
host 127.0.0.1
logdir /var/lib/ldap/log
TLS_REQCERT  hard
TLS_CACERT /etc/ssl/certs/cacert.pem

Thanks,
Tamas.