[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Syncrepl SSL fail
Hello,
I use the following ldapsearch command :
ldapsearch -H ldaps://ldap.mydomain.fr:1024 -x -W -D
"cn=syncrepluser,o=others,dc=mydomain,dc=fr"
I did configure TLS cert file before syncrepl configuration :
TLSCACertificateFile /etc/ssl/certs/ldap-replic-cert.pem
TLSCertificateFile /etc/ssl/certs/ldap-replic-cert.pem
TLSCertificateKeyFile /etc/ssl/certs/ldap-replic-cert.pem
But those certificate are for the ldap consumer if I'm not wrong.
I am currently trying the following configuration thanks to your information :
Syncrepl rid=003
provider=ldaps://ldap.mydomain.fr:1024/
type=refreshOnly
retry="60 10 600 +"
interval=00:00:00:10
searchbase="dc=mydomain,dc=fr"
scope=sub
schemachecking=on
bindmethod=simple
tls_cert=/etc/ssl/certs/ldap-cert.pem
tls_cacert=/etc/ssl/certs/ldap-cert-ca.pem
binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
credentials=my_password
where tls_cert and tls_cacert provide the cert from the master server.
It seems that the replication is working but I get an other error confusing :
ct 14 12:46:53 server slapd[32470]: slap_client_connect:
URI=ldaps://ldap.mydomain.fr:1024/ TLS context initialization failed
(-1)
Oct 14 12:46:53 server slapd[32470]: do_syncrepl: rid=003 rc -1
retrying (9 retries left)
Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
I don't really understand the TLS context initialization failed (-1)
as my replication is working ?
Thanks for the tips.
Hugo
On 13 October 2011 19:29, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Thursday, October 13, 2011 6:38 PM +0200 Hugo Deprez
> <hugo.deprez@gmail.com> wrote:
>
>> Dear community,
>>
>> I setup a syncrepl between my master openldap server and a consumer.
>>
>> I am trying to use SSL for this syncrepl
>> I got the following error in the log when I start slapd on the consumer :
>>
>> Oct 13 17:04:59 server slapd[16905]: slapd starting
>> Oct 13 17:04:59 server slapd[16905]: slap_client_connect:
>> URI=ldaps://ldap.mydomain.fr:1024/
>> DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s
>> failed (-1)
>> Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1
>> retrying (9 retries left)
>>
>>
>> I don't understand why it is failing as a single ldapsearch from the
>> same server with the syncrepl user is working.
>>
>> here is my syncrepl configuration :
>>
>> Syncrepl rid=003
>> provider=ldaps://ldap.mydomain.fr:1024/
>> type=refreshOnly
>> retry="60 10 600 +"
>> interval=00:00:00:10
>> searchbase="dc=mydomain,dc=fr"
>> scope=sub
>> schemachecking=on
>> bindmethod=simple
>> binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
>> credentials=my_password
>>
>>
>> Any idea ?
>
> I don't see any of the tls_* options to the syncrepl configuration here.
> Likely the syncrepl client is unable to verify the master's cert. I would
> note that using refreshOnly is ill-advised.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>