[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overlay chain and TLS/SSL



Ralf Zimmermann <r.zimmermann@siegnetz.de> writes:

> Hi all,
>
> I think I have  a problem with the overlay chain and tls.  We have one physical
> master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
> but sometimes  we can't modify  entries like passwords  to the master.  Then we
> must restart  the slapd at the  slaves. After restarting slapd  all works fine.
> Then slapd works fine the wholy day.  We can change entries or set passwords on
> the slaves.  Next morning  we must  restart the slapd  again, because  we can't
> modify entries from the  slaves. But we can query the  slapd and syncrepl works
> fine. Only things over the overlay chains  doesn't work. I have the problem not
> only  with Version  2.4.20. I  tested more  Versions and  actually 2.4.21  from
> pysically hardware.
>
> If I can't set entries on the slave  I don't see any tcp packets from the slave
> to the master. DNS,  time and so on looks fine and  everything else is working.
> And if we restart slapd everything is  working. Does anybody know what is going
> wrong and if  there exits a workaround. I read  some things abount /dev/random,
> /dev/urandom and kernel 2.6 in VMware. Can this be the problem?
>
> Here the overlay chain configuration.
>
> <snip slapd.conf>
> overlay                chain
> chain-uri              "ldap://eisenherz.camelot.de/";
> chain-idassert-bind    bindmethod=simple
>                        binddn="cn=ldapadmin,dc=camelot,dc=de"
>                        credentials="xxxxxx"
>                        mode="self"
> chain-rebind-as-user   TRUE
> chain-return-error     TRUE
> chain-tls              start
> </snip slapd.conf>
>
> Any help is appreciated.

What version is this?
I found that with 2.4.21 a tls_cacert option solved my problem.

chain-tls start 
          tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem
          tls_reqcert="demand"

slapd-ldap(5) provides more TLS options.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E