[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl fails after upgrade to openldap 2.4.45

To: <openldap-technical@openldap.org>
Subject: syncrepl fails after upgrade to openldap 2.4.45
From: <Juergen.Sprenger@swisscom.com>
Date: Thu, 22 Jun 2017 09:25:34 +0000
Accept-language: en-US, de-CH
Content-language: de-DE
Thread-index: AdLrNylJppT6A2SvTPulypDH+mmoFw==
Thread-topic: syncrepl fails after upgrade to openldap 2.4.45

Hi,

after upgrading from openldap-2.4.44-r1  to openldap-2.4.45 on my Gentoo machine multi-master-replication does not work anymore.

Has anything changed in configuration options for syncrepl or are certificates treated differently now?

In the logs I found the following message:

Jun 22 10:33:13 ids00000 slapd[30734]:  [ID 000001  (local4.debug)] slap_client_connect: URI=ldaps://ldap.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)

Running slapd in foreground with -d -1 revealed this message:

TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).
594b8120 slap_client_connect: URI=ldaps://ldap.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)

My syncrepl configuriation:

syncrepl rid=000
  provider=ldaps://ldap.dannatu.ch:636
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=dannatu,dc=ch"
  attrs="*,+"
  scope=sub
  bindmethod=simple
  binddn="cn=Manager,dc=dannatu,dc=ch"
  credentials=**************

I have verified the certificate and my selfsigned ca-certificate with openssl, and both are ok:

# openssl verify /etc/ssl/certs/dannatuCA-cacert.pem
/etc/ssl/certs/dannatuCA-cacert.pem: OK

# openssl verify /etc/ssl/openldap/dannatu.ch.pem
/etc/ssl/openldap/dannatu.ch.pem: OK

Also verification with openssl s_client seems ok:

# openssl s_client -connect ldap.dannatu.ch:636 -tls1_2
CONNECTED(00000003)
depth=1 C = CH, ST = Solothurn, L = Solothurn, O = Dannatu AG, OU = IT, CN = Dannatu AG CA, emailAddress = admin@dannatu.ch
verify return:1
depth=0 C = CH, ST = Solothurn, L = Solothurn, O = Dannatu AG, OU = IT, CN = dannatu.ch, emailAddress = admin@dannatu.ch
verify return:1
---
Certificate chain
 0 s:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddress=admin@dannatu.ch
   i:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
 1 s:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
   i:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
---

After downgrading  to openldap-2.4.44-r1 everything worked fine again. Seems certificate handling has changed. Any hints?

Juergen Sprenger

Prev by Date: Re: Delete the root entry of a DIT (mdb as backend)
Next by Date: Re: Limit which database is reachable on which port (slapd is listening on)?
Index(es):
- Chronological
- Thread