[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl failing with TLS negotiation failure



Hello,

I'm trying to get syncrepl working, using simple bind over TLS. TLS is
failing with

Consumer:
Oct 12 17:21:53 auth-01 slapd[23241]: slap_client_connect:
URI=ldap://auth-00.vis.kaust.edu.sa Error, ldap_start_tls failed (-11)
Oct 12 17:21:53 auth-01 slapd[23241]: do_syncrepl: rid=000 rc -11
retrying (3 retries left)

Provider:
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 ACCEPT from
IP=109.171.138.17:39458 (IP=0.0.0.0:389)
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 STARTTLS
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 RESULT oid= err=0 text=
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 closed (TLS
negotiation failure)

TLS is working for other uses of the server including ldapsearch:
auth-01$ ldapsearch -ZZ -x -D cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa
-W -H ldap://auth-00.vis.kaust.edu.sa uid=iain

Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 ACCEPT from
IP=109.171.138.17:39460 (IP=0.0.0.0:389)
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 STARTTLS
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 RESULT oid= err=0 text=
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 TLS established
tls_ssf=256 ssf=256
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND
dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" method=128
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND
dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" mech=SIMPLE ssf=0
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 RESULT tag=97 err=0 text=
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SRCH
base="dc=vis,dc=kaust,dc=edu,dc=sa" scope=2 deref=0
filter="(uid=iain)"
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 ENTRY
dn="uid=iain,ou=people,dc=vis,dc=kaust,dc=edu,dc=sa"
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=3 UNBIND
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 fd=137 closed

and any number of clients are cheerfully using it through
{pam,nss}_ldap and sssd.

I'm not sure where to attack this from. The TLS settings should be
identical. Any thoughts on how to proceed would be appreciated.

consumer:
$ lsb_release -a
LSB Version:	:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	Scientific
Description:	Scientific Linux release 6.1 (Carbon)
Release:	6.1
Codename:	Carbon
$ rpm -q openldap-servers
openldap-servers-2.4.23-15.el6.x86_64

>From slapd.conf:
syncrepl rid=000
	 provider=ldap://auth-00.vis.kaust.edu.sa
         searchbase=dc=vis,dc=kaust,dc=edu,dc=sa
         bindmethod=simple
         binddn=cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa
         credentials=mysecret
	 type=refreshOnly
	 retry="10 3 120 5 600 +"
         tls_cacert=/etc/ssl/VisLabCA.pem
	 tls_reqcert=allow
	 starttls=critical


provider:
$ lsb_release -a
LSB Version:	:core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 5.6 (Final)
Release:	5.6
Codename:	Final
$ rpm -q openldap-servers
openldap-servers-2.3.43-12.el5_5.3


    Iain.

-- 
Systems Engineer
KAUST Visualisation Laboratory