[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd silly error ?

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: slurpd silly error ?
From: "jehan.procaccia" <jehan.procaccia@int-evry.fr>
Date: Wed, 09 Feb 2005 09:22:45 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <42094EAD.8050208@sys-net.it>
References: <42090AD2.20203@int-evry.fr> <42094EAD.8050208@sys-net.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922

Pierangelo Masarati wrote:

jehan.procaccia wrote:
Retrying operation for DN uid=test,ou=People,dc=int-evry,dc=fr on replica calaz.int-evry.fr:9389 Error: ldap_simple_bind_s for calaz.int-evry.fr:9389 failed: Can't contact LDAP server

However when I search the slave it responds OK: $ ldapsearch -x uid=test -h localhost -p 9389 -D "cn=replicator,ou=System,dc=int-evry,dc=fr"" -W homePostalAddress -LLL
My first guess is that the client works because you use "localhost" while slurpd doesn't because you use a fully qualified name, and (a) the name may not resolve to the right host, or (b) the slave might not be listening on the appropriate listener, e.g. it was started with -h "ldap://localhost:9389"; or anything like that.

Indeed ! I knew it should be something silly ... Now I start my slave this way: -h '"ldap://calaz.int-evry.fr:9389/ ldaps://calaz.int-evry.fr:9636/" and it's OK ;-), thanks !.

Second step now (this was my original purpose ) I want to impose starttls=critical in replication unfortunaltly I get slurpd : Error: ldap_start_tls failed: Connect error (-11) Retrying operation for DN uid=test,ou=People,dc=int-evry,dc=fr on replica calaz.int-evry.fr:9389 request 1 done TLS certificate verification: Error, self signed certificate in certificate chain TLS: can't connect.

on both master and slave slapd.conf has:
TLSCACertificateFile /etc/x509/ca.crt
TLSCertificateFile /etc/x509/slapd-calaz.crt
TLSCertificateKeyFile /etc/x509/slapd-calaz.key

The ca.crt is our "pki" root certificate who signed slapd-calaz.crt

Master:
replica host=calaz.int-evry.fr:9389
 binddn="cn=replicator,ou=System,dc=int-evry,dc=fr"
 bindmethod=simple   credentials=secret starttls=critical
replogfile /usr/local/openldap-2.2.20-1/var/lib/ldap/replica/replogfile

Slave:
updatedn "cn=replicator,ou=System,dc=int-evry,dc=fr"
updateref "ldap://calaz.int-evry.fr:389";

$ tail -3  /etc/openldap/ldap.conf
HOST calaz.int-evry.fr
BASE dc=int-evry,dc=fr
TLS_CACERT /etc/x509/ca.crt

However a startTLS ldapsearch (-ZZ) works fine $ ldapsearch -x uid=test -h calaz.int-evry.fr -p 9389 -D "cn=admin,dc=int-evry,dc=fr" -W homePostalAddress -LLL -ZZ Enter LDAP Password: dn: uid=test,ou=People,dc=int-evry,dc=fr homePostalAddress: 9 fev 8:55

something silly again ?

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- slurpd silly error ?
  - From: "jehan.procaccia" <jehan.procaccia@int-evry.fr>
- Re: slurpd silly error ?
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: EQUALITY octetStringMatch for JPEG
Next by Date: How can I re-start the DB from scratch without damaging OpenLDAP?
Index(es):
- Chronological
- Thread