[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS replication/SALS bindmethod

To: 'Michael Ströder' <michael@stroeder.com>
Subject: RE: TLS replication/SALS bindmethod
From: "Darouichi, Aziz" <adarouic@post03.curry.edu>
Date: Mon, 23 May 2011 10:33:13 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <4DDA6BF6.2010107@stroeder.com>
References: <2398337E30371A47B556742B49C7805B3F667C1A3C@EXCCRMBX01.Currynet.local> <4DDA6BF6.2010107@stroeder.com>
Thread-index: AcwZU8SgqbA+sksxTZu6FBOxbh7zbAAAnWNw
Thread-topic: TLS replication/SALS bindmethod

If I moved either entries   service fails to start.

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com] 
Sent: Monday, May 23, 2011 10:15 AM
To: Darouichi, Aziz
Cc: openldap-technical@openldap.org
Subject: Re: TLS replication/SALS bindmethod

Darouichi, Aziz wrote:
> I configured Muti-master replication, everything worked fine till I hashed
> rootpw to confirm to a hardcoded password in Oracle.
> I configured OpenLDAP servers to us SALS. This is my configuration.
> provider=ldap://xxx.xxx.xxx:389
> bindmethod=sasl
> saslmech=external
> starttls=yes
> tls_cert=/etc/pki/tls/certs/slapd.pem
> tls_key=/etc/pki/tls/private/ldap.pem
> tls_cacert=/etc/pki/tls/certs/ca-bundle.crt
> tls_reqcert=demand
> binddn="cn=ldap,dc=establishment,dc=edu"
> credentials={SSHA}2vNffW+5hEolqIykgH9tCpxq9jTTVSSu
> searchbase="dc=establishment,dc=edu"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"

I don't understand why you use

bindmethod=sasl
saslmech=external

and

binddn="cn=ldap,dc=establishment,dc=edu"
credentials={SSHA}2vNffW+5hEolqIykgH9tCpxq9jTTVSSu

together.

Anyway you have to provide the clear-text password here since the consumer is 
a LDAP client.

> when I run ldapsearch against servers I get response from both machines.
> ldapsearch -H ldap://server.establishment.edu -D
> "cn=ldap,dc=establishment,dc=edu" -w "PASSWORD" -x -b "dc=establishment
> ,dc=edu" "(objectclass=*)" uid.
> This what I get in the logs:
> May 23 09:37:01 ldap1 slapd[1559]: slap_client_connect:
> URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6)
> May 23 09:37:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying
> May 23 09:37:58 ldap1 slapd[1559]: conn=5220 op=0 do_extended: unsupported
> operation "1.3.6.1.4.1.1466.20037"
> May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect:
> URI=ldap://xxx.xxx.edu:389 Warning, ldap_start_tls failed (2)
> May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect:
> URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6)
> May 23 09:38:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying

This basically means that TLS is not properly configured at the provider.

Ciao, Michael.

References:
- TLS replication/SALS bindmethod
  - From: "Darouichi, Aziz" <adarouic@post03.curry.edu>
- Re: TLS replication/SALS bindmethod
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: TLS replication/SALS bindmethod
Next by Date: Re: (ITS#6666) Feature Request: Triggers implementation
Index(es):
- Chronological
- Thread