[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: syncrepl fails after upgrade to openldap 2.4.45

To: <quanah@symas.com>, <openldap-technical@openldap.org>
Subject: RE: syncrepl fails after upgrade to openldap 2.4.45
From: <Juergen.Sprenger@swisscom.com>
Date: Mon, 26 Jun 2017 06:11:20 +0000
Accept-language: en-US, de-CH
Content-language: de-DE
In-reply-to: <DAEF7F7C3CC886DD2709775B@[192.168.1.30]>
References: <a146956554c84b45bef9b9971741aebc@SG001738.corproot.net> <WM!83b92ebed934ebe68e0b1dc3ed2accc9cb98ac847bcfd9714b8b1e4b01031a374101e479b843c68909ce2ce76d79a653!@mailstronghold-2.zmailcloud.com> <4304E977C4D48D8E6E0E28CB@[192.168.1.30]> <d0ca020553594d2b94f80f62c1c71a9b@SG001738.corproot.net> <WM!3470a551096318d7efa891d2ba41b33a7f21387f45458615cdacf779605166fb54505bee8a911e1b6f88b8a3a79918ef!@mailstronghold-1.zmailcloud.com> <DAEF7F7C3CC886DD2709775B@[192.168.1.30]>
Thread-index: AdLrNylJppT6A2SvTPulypDH+mmoFwAMrDx6ACHMdiAAE1qdRAB/uYhA
Thread-topic: syncrepl fails after upgrade to openldap 2.4.45

Cert authentication works on 2.4.44-r1 without any problem.

I have now downloaded the source code, configured, compiled and installed it manually.

Configure options:

./configure --disable-bdb --disable-hdb --enable-accesslog --enable-auditlog --enable-deref --enable-memberof --enable-ppolicy --enable-proxycache --enable-syncprov --enable-valsort

After compilation 'make test' completed successfully without any errors.

Everything works fine with 2.4.44-r1, but there are still certificate problems with 2.4.45, complaining about self-signed certificates.

Configurations with 2.4.44-r1 and 2.4.45 are identical, both are compiled with the same version of OpenSSL libraries (OpenSSL 1.0.2l  25 May 2017) and are using the same certificates.

I have done strace:

2.4.44-r1:
=======
ldap_create
ldap_create
ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636)
ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw1.dannatu.ch:636
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw0.dannatu.ch:636
ldap_new_socket: 13
ldap_prepare_socket: 13
ldap_connect_to_host: Trying 10.0.0.11:636
ldap_pvt_connect: fd: 13 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
ldap_new_socket: 14
ldap_prepare_socket: 14
ldap_connect_to_host: Trying 10.0.0.10:636
ldap_pvt_connect: fd: 14 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd
ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres
s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd
ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres
s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request

2.4.45:
=====
ldap_create
ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636)
ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw0.dannatu.ch:636
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw1.dannatu.ch:636
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.0.10:636
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
ldap_new_socket: 16
ldap_prepare_socket: 16
ldap_connect_to_host: Trying 10.0.0.11:636
ldap_pvt_connect: fd: 16 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
connect success
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd
dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd
dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS trace: SSL3 alert write:fatal:unknown CA
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce
rtificate chain).
5950a07f slap_client_connect: URI=ldaps://fw1.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce
rtificate chain).
5950a07f slap_client_connect: URI=ldaps://fw0.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
5950a07f do_syncrepl: rid=001 rc -1 retrying (4 retries left)
5950a07f do_syncrepl: rid=000 rc -1 retrying (4 retries left)

Still can't find a cause for this behavior.

Kind regards 

Juergen Sprenger

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Friday, June 23, 2017 6:33 PM
To: Sprenger Jürgen, INI-ON-CIS-SDI-HES <Juergen.Sprenger@swisscom.com>; openldap-technical@openldap.org
Subject: RE: syncrepl fails after upgrade to openldap 2.4.45

--On Friday, June 23, 2017 8:30 AM +0000 Juergen.Sprenger@swisscom.com
wrote:

> Have also added these entries to syncrepl now, but without any success:
>
>   tls_cert=/etc/ssl/openldap/dannatu.ch.pem
>   tls_key=/etc/ssl/openldap/dannatu.ch.key
>   tls_cacert=/etc/ssl/certs/dannatuCA-cacert.pem

This would indicate you want to do client cert authentication with the syncrepl client, which as far as I know, you are not using (based on your earlier configuration).  You need to remove the tls_cert and tls_key lines. 
I've tested with OpenLDAP 2.4.45 and TLS works as expected with replication.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- syncrepl fails after upgrade to openldap 2.4.45
  - From: <Juergen.Sprenger@swisscom.com>
- Re: syncrepl fails after upgrade to openldap 2.4.45
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: <Juergen.Sprenger@swisscom.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: RE: ldapsearch on accesslog hangs in OpenLDAP 2.4.40 on RHEL 6.9 ( works ok w/ slapcat -b "cn=accesslog")
Next by Date: RE: Using TLS
Index(es):
- Chronological
- Thread