[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP 2.4.23 - Syncrepl - TLS Trouble



Dear OpenLDAP experts,

I'm about to setup an OpenLDAP server with the following features:
- TLS/SSL with self-signed certificates
- TLS-encrypted N-way replication (Syncrepl)

My environment:
- 2 x RHEL 6.0
- OpenLDAP 2.4.23

I try to sync both databases: cn=config and backend-db. The problem is that I'm not able to turn on TLS for both sync-connections at the same time. It works for each connection but only if the second one is unencrypted.

Working configuration:
-----
olcDatabase={0}config,cn=config
...
olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
...
olcDatabase={1}bdb,cn=config
...
olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem
-----

(desired) Configuration, which doesn't work:
-----
olcDatabase={0}config,cn=config
...
olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem
...
olcDatabase={1}bdb,cn=config
...
olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem
-----

/etc/openldap/cacerts/ca.pem contains CA certificates of both servers.

What is wrong? I would be very thankful for every advise.