[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up syncrepl, replicated LDAP doesn't work

To: John Oliver <joliver@john-oliver.net>
Subject: Re: Setting up syncrepl, replicated LDAP doesn't work
From: Jonathan Clarke <jclarke@linagora.com>
Date: Fri, 25 Jul 2008 10:21:21 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <20080724174937.GB21660@ns.sdsitehosting.net>
Organization: Linagora
References: <20080724174937.GB21660@ns.sdsitehosting.net>
User-agent: Thunderbird 2.0.0.14 (X11/20080505)

Hi,

John Oliver a Ãcrit :
> [root@localhost ~]# ldapsearch -H
> ldaps://ldap2.mydomain.com -b
> "dc=mydomain,dc=com" uid=joliver sn givenName cn
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This is a SSL error message: your LDAP client can not identify the
certificate authority that emitted the certificate presented by your
server. Configure your ldap.conf file to include appropriate files
(TLS_CACERT or TLS_CACERTDIR, etc).

> [root@localhost ~]# ldapsearch -H
> ldap://ldap2.mydomain.com -b
> "dc=mydomain,dc=com" uid=joliver sn givenName cn
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): user not found: no secret in
> database
> 
> 
> When using just ldap:// with ldapsearch, I don't know what password it's
> asking for.  My LDAP password doesn't work, the LDAP admin password
> doesn't work, the local root password doesn't work...

This is because ldapsearch is trying to authenticate using SASL
authentication layer. Add the "-x" option to your ldapsearch command,
and you can use your LDAP password.

> Here's the odd thing.  When I started setting this up, the machine
> that's the primary (and working) LDAP server now was running fedora-ds.
> I set up OpenLDAP on what is now the slave server, and it worked
> perfectly.  I slapcat'ed it, installed OpenLDAP on the primary server,
> and slapadded the db.  I never generated any certificates on it at all,
> and it works perfectly.  I just regenerated the cert on the slave
> server, but no joy.

I believe OpenSSL defaults have become more strict in certificate
checking, over some recent (maybe up to 6 months ago) upgrade.

Jonathan
-- 
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com

References:
- Setting up syncrepl, replicated LDAP doesn't work
  - From: John Oliver <joliver@john-oliver.net>

Prev by Date: Re: Client says Can't contact LDAP server, but it can!
Next by Date: Re: Client says Can't contact LDAP server, but it can!
Index(es):
- Chronological
- Thread