[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Hugo Deprez <hugo.deprez@gmail.com>
Subject: Re: Syncrepl SSL fail
From: Rich Megginson <rich.megginson@gmail.com>
Date: Fri, 14 Oct 2011 08:23:10 -0600
Cc: Olivier Guillard <olivier@guillard.nom.fr>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=w2LpCTFrM56gkAsiXv5yOqcprAQzyOM/Dtzjg+WRzgQ=; b=oI5fE5joYUveUAmL6dOUK4BaSXqBlN6kKpYH9Yp/hopgavO9mC247V+O8lOmnUr0lK qxgfdoDhsteemywt1y0d4ib0Ux/dNRcrBu1a3Shz64mlauqUM9+nWIAbUkw7e9+HtrVx 85AZY1jH2dVZtgaSnSdoN56BzVqGlLDhnRHlo=
In-reply-to: <CAAoQnKjZ70YYAmfUTy78FnoLD7Tu=qjHgdO0cg8aUHC170Eh3Q@mail.gmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <CA+5QeXT80gVNR1ui6bMBribdQd3CqtR6TQh1Ms2aOPsYLFhmDg@mail.gmail.com> <CAAoQnKjZ70YYAmfUTy78FnoLD7Tu=qjHgdO0cg8aUHC170Eh3Q@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Red Hat/3.1.15-1.el6_1 Lightning/1.0b3pre Thunderbird/3.1.15

On 10/14/2011 07:10 AM, Hugo Deprez wrote:

Hello,

On the provider I have the following settings :

TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem

but no TLSCipherSuite defined.

That should be fine.  You don't need to define a TLSCipherSuite

I added the starttls=yes on the consumer :

Syncrepl  rid=003
              provider=ldaps://ldap.mydomain.fr:1024/
              type=refreshOnly
              retry="60 10 600 +"
              interval=00:00:00:10
              searchbase="dc=mydomain,dc=fr"
              scope=sub
              schemachecking=on
              bindmethod=simple
              starttls=yes

You should have starttls=critical or it will attempt to fallback toplain LDAP if it cannot establish TLS.

              tls_cert=/etc/ssl/certs/ldap-cert.pem

You should not have tls_cert here, since you are trying to usedn/password auth. tls_cert is useless without tls_key anyway.

              tls_cacert=/etc/ssl/certs/ldap-cert-ca.pem
              binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
              credentials=my_password


But still the same error.

Any idea ?

Hugo
On 14 October 2011 13:52, Olivier Guillard<olivier@guillard.nom.fr>  wrote:

Hi,

Have you set up the follwing appropriately :

TLSCertificateFile
TLSCertificateKeyFile
TLSCipherSuite

On the provider ?

You probably also want to set this up correctly in
your syncrepl section :

  starttls=yes
  tls_cacert=/path/to/certificate

I suspect better if TLS_CACERT is also properly
set up in both ldap server slapd config.

---
Olivier

On Thu, Oct 13, 2011 at 6:38 PM, Hugo Deprez<hugo.deprez@gmail.com>  wrote:

Dear community,

I setup a syncrepl between my master openldap server and a consumer.

I am trying to use SSL for this syncrepl
I got the following error in the log  when I start slapd on the consumer :

Oct 13 17:04:59 server slapd[16905]: slapd starting
Oct 13 17:04:59 server slapd[16905]: slap_client_connect:
URI=ldaps://ldap.mydomain.fr:1024/
DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s
failed (-1)
Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1
retrying (9 retries left)


I don't understand why it is failing as a single ldapsearch from the
same server with the syncrepl user is working.

here is my syncrepl configuration :

Syncrepl  rid=003
               provider=ldaps://ldap.mydomain.fr:1024/
               type=refreshOnly
               retry="60 10 600 +"
               interval=00:00:00:10
               searchbase="dc=mydomain,dc=fr"
               scope=sub
               schemachecking=on
               bindmethod=simple
               binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
               credentials=my_password


Any idea ?

Regards,

Hugo

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>

Prev by Date: Re: Syncrepl SSL fail
Next by Date: Re: TLS very strange behaviour
Index(es):
- Chronological
- Thread