[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Olivier Guillard <olivier@guillard.nom.fr>
Subject: Re: Syncrepl SSL fail
From: Hugo Deprez <hugo.deprez@gmail.com>
Date: Fri, 14 Oct 2011 15:10:01 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jtjcdPtfmOJyBpsBD7MsLHrXEnvGDUxIwaLkFoC00e0=; b=Cakw548yKD8W3NKCGr+n3mj3x+ALqXDKtRz2GYaAyaCDsB6NJRIj9DR0wXkvHMeNcM INmnjmqWxUCmih+LpnAipEfb9Ij5dIWB7rIapDLgubYSfb9LmPG13L/L+uPtTMS+G3GP CdWngz5gzzal/Q6n+Nx4zktBQN7VKDj8qeVl0=
In-reply-to: <CA+5QeXT80gVNR1ui6bMBribdQd3CqtR6TQh1Ms2aOPsYLFhmDg@mail.gmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <CA+5QeXT80gVNR1ui6bMBribdQd3CqtR6TQh1Ms2aOPsYLFhmDg@mail.gmail.com>

Hello,

On the provider I have the following settings :

TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem

but no TLSCipherSuite defined.

I added the starttls=yes on the consumer :

Syncrepl  rid=003
             provider=ldaps://ldap.mydomain.fr:1024/
             type=refreshOnly
             retry="60 10 600 +"
             interval=00:00:00:10
             searchbase="dc=mydomain,dc=fr"
             scope=sub
             schemachecking=on
             bindmethod=simple
             starttls=yes
             tls_cert=/etc/ssl/certs/ldap-cert.pem
             tls_cacert=/etc/ssl/certs/ldap-cert-ca.pem
             binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
             credentials=my_password


But still the same error.

Any idea ?

Hugo
On 14 October 2011 13:52, Olivier Guillard <olivier@guillard.nom.fr> wrote:
> Hi,
>
> Have you set up the follwing appropriately :
>
> TLSCertificateFile
> TLSCertificateKeyFile
> TLSCipherSuite
>
> On the provider ?
>
> You probably also want to set this up correctly in
> your syncrepl section :
>
>  starttls=yes
>  tls_cacert=/path/to/certificate
>
> I suspect better if TLS_CACERT is also properly
> set up in both ldap server slapd config.
>
> ---
> Olivier
>
> On Thu, Oct 13, 2011 at 6:38 PM, Hugo Deprez <hugo.deprez@gmail.com> wrote:
>> Dear community,
>>
>> I setup a syncrepl between my master openldap server and a consumer.
>>
>> I am trying to use SSL for this syncrepl
>> I got the following error in the log  when I start slapd on the consumer :
>>
>> Oct 13 17:04:59 server slapd[16905]: slapd starting
>> Oct 13 17:04:59 server slapd[16905]: slap_client_connect:
>> URI=ldaps://ldap.mydomain.fr:1024/
>> DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s
>> failed (-1)
>> Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1
>> retrying (9 retries left)
>>
>>
>> I don't understand why it is failing as a single ldapsearch from the
>> same server with the syncrepl user is working.
>>
>> here is my syncrepl configuration :
>>
>> Syncrepl  rid=003
>>               provider=ldaps://ldap.mydomain.fr:1024/
>>               type=refreshOnly
>>               retry="60 10 600 +"
>>               interval=00:00:00:10
>>               searchbase="dc=mydomain,dc=fr"
>>               scope=sub
>>               schemachecking=on
>>               bindmethod=simple
>>               binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
>>               credentials=my_password
>>
>>
>> Any idea ?
>>
>> Regards,
>>
>> Hugo
>>
>>
>

Follow-Ups:
- Re: Syncrepl SSL fail
  - From: Rich Megginson <rich.megginson@gmail.com>
- Re: Syncrepl SSL fail
  - From: Nick Milas <nick@eurobjects.com>

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>

Prev by Date: Re: adding monitor to cn=config on already running slapd
Next by Date: Re: Syncrepl SSL fail
Index(es):
- Chronological
- Thread