[Date Prev][Date Next] [Chronological] [Thread] [Top]

N-Way Multi-Master TLS problem



Hi,

As an exercise I tried setting up a 2 node N-Way Multi-Master with TLS and TLS replication based on section 18.3.3 of the Admin Gguide. I bumped into a problem that I haven't been able to fix. The error is:

TLS: hostname (ldap02.local) does not match common name in certificate (ldap01.local). 51f87d48 slap_client_connect: URI=ldap://ldap02.local Error, ldap_start_tls failed (-11

I have tested the certificates manually and I can't see anything wrong with them. I use FQDNs everywhere. Also it seems odd that, based on strace slapd output, ldap01 needs acess to the public and private certificate of ldap02 and vice versa.

OpenLDAP version 2.4.35 + fixes recommended by Quanah on the list.
Ntp is running, iptables & SELinux are off

The config below is added with:
slapadd -v -F /etc/openldap-2.4/slapd.d -l ./test.ldif -n 0

Anyone have a hint what I am doing wrong?

-------------------------------------------------------------------
Config ldap01:
-------------------------------------------------------------------

# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local

# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleload: syncprov.la

# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif

# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
  searchbase="cn=config" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +"
  bindmethod=simple binddn="cn=config" credentials=password
  starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
  tls_key=/etc/pki/tls/private/config.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
  searchbase="cn=config" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
  binddn="cn=config" credentials=1234 starttls=critical
  tls_cert=/etc/pki/tls/certs/config.crt
  tls_key=/etc/pki/tls/private/config.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
  by dn.exact="cn=Manager,dc=local" write
  by * none

# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
  by dn.exact="cn=Manager,dc=local" write
  by * none

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=local
olcRootDN: cn=Manager,dc=local
olcRootPW: {CRYPT}$6$<somepass>
olcDbDirectory: /var/lib/ldap-2.4/local
olcDbIndex: cn pres,eq,sub
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: memberUid pres,eq
olcDbIndex: objectClass pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: uid pres,eq
olcDbIndex: uidNumber pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxReaders: 0
olcDbMode: 0600
olcDbSearchStack: 16
# size in bytes - 1GB = 1073741824 bytes
olcDbMaxSize: 5368709120
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbNoSync: FALSE
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcAccess: to attrs=userPassword
  by dn.exact="cn=Manager,dc=local" write
  by self write
  by anonymous auth
  by * none
olcAccess: to *
  by dn.exact="cn=Manager,dc=local" write
  by self write
  by * read
olcLimits: dn.exact="cn=Manager,dc=local" time.soft=unlimited
  time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: rid=3 provider=ldap://ldap01.local
  searchbase="dc=local" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +"
  bindmethod=simple binddn="cn=Manager,dc=local"
  credentials=password
  starttls=critical
  tls_cert=/etc/pki/tls/certs/Manager.crt
  tls_key=/etc/pki/tls/private/Manager.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcSyncrepl: rid=4 provider=ldap://ldap02.local
  searchbase="dc=local" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +"
  bindmethod=simple binddn="cn=Manager,dc=local"
  credentials=password
  starttls=critical
  tls_cert=/etc/pki/tls/certs/Manager.crt
  tls_key=/etc/pki/tls/private/Manager.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcMirrorMode: TRUE

# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

# add the syncprov overlay to the main mdb database
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


-------------------------------------------------------------------
Config ldap02:
-------------------------------------------------------------------

# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!RC4:@STRENGTH
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local

# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleLoad: memberof.la
olcModuleLoad: refint.la
olcModuleLoad: auditlog.la
olcModuleLoad: ppolicy.la
olcModuleload: syncprov.la

# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif

# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
  searchbase="cn=config" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +"
  bindmethod=simple binddn="cn=config" credentials=password
  starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
  tls_key=/etc/pki/tls/private/config.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
  searchbase="cn=config" type=refreshAndPersist timeout=1
  schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
  binddn="cn=config" credentials=1234 starttls=critical
  tls_cert=/etc/pki/tls/certs/config.crt
  tls_key=/etc/pki/tls/private/config.key.crt
  tls_cacert=/etc/pki/tls/certs/Test-CA.crt
  tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
  by dn.exact="cn=Manager,dc=local" write
  by * none

# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
  by dn.exact="cn=Manager,dc=local" write
  by * none

# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


Thank you for any pointers.

Regards,
Patrick