[Date Prev][Date Next] [Chronological] [Thread] [Top]

Syncrepl can't start ssl session because of refused 'client' certificate


I'm trying to upgrade an openLdap server from Fedora Core 13 (openldap-servers-2.4.21-11) to Redhat Enterprise 6 (openldap-servers-2.4.23-15.el6.x86_64).
In this new setup,  my local bdb backend works: I can query the LDAP server on this backend using an "ldaps://" connection (it is using a server certificate).

However, the Syncrepl replication process fails to establish the "ldaps://" session to my syncrepl-providers.
Indeed, the TLS layer complains that my _server's certificate_ isn't a valid _client certificate_ (with error 8101 - SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side authentication!

In the past syncrepl didn't try to use the server certificate as a client certificate, and I haven't seen any reference to this in the documentation.
I first thought it could have been related to ITS#6791 but I don't think so anymore because it only affects Syncrepl.

Do you think I've missed something in the setup?

Thanks in advance,

Here is an excerpt of slapd startup log in debug-mode:
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error -8101:Unknown code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)

Here is my syncrepl setup:
syncrepl rid=125
        retry="60 10 300 +"

My setup related to TLS:
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile   /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem

And eventually my /etc/openldap/ldap.conf:
TLS_CACERT /etc/ssl/cacerts/cacert.pem