[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: n-way multimaster replication with ssl and tls



Yes

I am able to access using JXplorer using tls and 636.

I am using diff self singed certificate  for each server.

I have done same configuration on 3 servers.

i am having /etc/openldap/ldap.conf and /apps/openldap/etc/openldap/ldap.conf file

I have compiled ldap to /apps/openldap directory.

I am getting same output running on each server against the other 2 servers.

[root@sjprodam01 ~]# openssl s_client -connect mmprodam01.abc.com:636  -showcerts
CONNECTED(00000003)
depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com
   i:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com
-----BEGIN CERTIFICATE-----
MIICoDCCAgmgAwIBAgIJAJ5P5x76CGAUMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV
BAYTAklOMQswCQYDVQQIDAJIUjEMMAoGA1UEBwwDR0dOMRAwDgYDVQQKDAdTQVBJ
RU5UMQ0wCwYDVQQLDARJU1NUMR4wHAYDVQQDDBVtbXByb2RhbTAxLm5hc2Nhci5j
b20wHhcNMTIxMTE2MDMyMDAxWhcNMTMxMTE2MDMyMDAxWjBpMQswCQYDVQQGEwJJ
TjELMAkGA1UECAwCSFIxDDAKBgNVBAcMA0dHTjEQMA4GA1UECgwHU0FQSUVOVDEN
MAsGA1UECwwESVNTVDEeMBwGA1UEAwwVbW1wcm9kYW0wMS5uYXNjYXIuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDETDjOiWY1hkHcZ82BRtDabD7mPN8
A9OwLAule0NC6Y76mI8fHDs+vip9P6ASyVaSkxT8g+dOLGDBBy7winj52wcnP9aW
u38kE5Sm+suSFLlJ3A0uIfgmLr6dglyGsFMiYJCkeHKxBpF5zeJHTnKpqWZ+emwj
XwO0Dv22AYvATQIDAQABo1AwTjAdBgNVHQ4EFgQUhhRZ1mSzr1zccS4aHSKcoy8o
F5owHwYDVR0jBBgwFoAUhhRZ1mSzr1zccS4aHSKcoy8oF5owDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOBgQCr2gh0U000EttpCQeSjAoUjjkHB3zWMpGZ64Pr
SynPEy7uTFT4N5SRx11dZAHIOslQLhr8MiobqX+9EGvQo9ua3TQKd/jT+tgX32Nc
iZZyerd6IcT4SZTvH67UZwTxtlqu397Ti8cI8fcqziHoY76MBHCVcG6pvpW4e5H+
LvitdA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com
issuer=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com
---
No client certificate CA names sent
---
SSL handshake has read 1008 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 2D97EE613D427036C9A1B1BB5E2371283763DDA8A761D9BED3385D4793E6E061
    Session-ID-ctx:
    Master-Key: 161A39EC4E5B5C0E0F211A014E6CE4B643F77C8C77B9175BFEF399A08319A56C9C199AF417E09EA9508579368E31F7AA
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 82 43 eb e1 46 c2 bd 6f-7a 8b 44 20 cc 8a d5 c4   .C..F..oz.D ....
    0010 - 9f 34 ee 02 36 1b 24 32-05 7e e4 3c a7 de 01 e6   .4..6.$2.~.<....
    0020 - c0 b9 39 8b 50 b6 b8 b2-21 3a 81 02 16 3d a1 b1   ..9.P...!:...=..
    0030 - b6 ac 98 fe 34 f5 ba e2-f1 e2 30 c8 ed ad f8 8b   ....4.....0.....
    0040 - 00 5f bf f8 ed 75 90 65-7e c1 e6 b5 b1 e7 a3 ba   ._...u.e~.......
    0050 - 75 67 6e a3 d2 ab f5 2b-20 77 31 90 cd 3f b0 38   ugn....+ w1..?.8
    0060 - 1f 60 da e9 8e dc 7c e2-97 56 95 55 61 c9 51 da   .`....|..V.Ua.Q.
    0070 - c7 4f 65 13 48 64 8f 67-1d d1 75 b2 91 b2 7c b5   .Oe.Hd.g..u...|.
    0080 - 7e 5f 6b 7b 61 e3 73 63-2b d7 91 c0 91 61 e7 27   ~_k{a.sc+....a.'
    0090 - 16 4b c5 e9 e0 ea 03 7a-6c 77 51 77 5c b6 f0 93   .K.....zlwQw\...
    00a0 - ab 82 f9 8c 23 06 61 88-86 43 5a 20 1a 11 c5 e7   ....#.a..CZ ....

    Compression: 1 (zlib compression)
    Start Time: 1353129151
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
^C



On Sat, Nov 17, 2012 at 11:22 AM, houston <houston.r.hopkins@gmail.com> wrote:
just curious,  did you get ldap running over ssl on rhel 6.3?  if so did you have to compile your ownnor did you use the red hat version?  i cant seem to get ldapsearch to work over ldaps when using red hats 2.4 version

thx, 
Houston 

anil beniwal <beni.anil@gmail.com> wrote:
Hi List

Can any body guide me through the steps required to setup n-way multimaster(3 or more servers at diff  countries)  replication with openldap 2.4.2

1. ssl based
2. tls based

I am having normal replication running b/w 3 servers. Now i want to setup secure replication.

i am using self signed certificate on RHEL 6.3.
How can i validate whether replication is working fine for ssl or tls.
How to enable replication logs.

Anything else i should check out.

I have already gone through a lot of postings on google.







--

Thanks&Regards
Anil Beniwal