[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Replica TLS problem



Hi,

If your certificate is self-signed, try to remove this line:

olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem

Keep only olcTLSCertificateFile and olcTLSCertificateKeyFile

Best regard, cyrill gremaud

On 20 Oct 2014, at 17:07, Elmopi, Stefano <stefano.elmopi@sociale.it<mailto:stefano.elmopi@sociale.it>> wrote:



Hi,

I'm having trouble to run the replica LDAP with TLS, without TLS, all works !!
Provider and Consumer are identical

CentOS release 6.5

rpm -qa | grep ldap
openldap-clients-2.4.23-34.el6_5.1.x86_64
openldap-2.4.23-34.el6_5.1.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64
mod_authz_ldap-0.26-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
openldap-servers-2.4.23-34.el6_5.1.x86_64

Provider config, file cn\=config.ldif

olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem
olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL
olcTLSVerifyClient: never


Consumer config:

olcSyncrepl: {0}rid=000
  provider=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/>
  starttls=yes
  type=refreshonly
  retry="5 5 300 +"
  searchbase="dc=example,dc=it"
  attrs="*,+"
  bindmethod=simple
  binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it"
  credentials=xxxxxxx
  interval=60

and, in /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/certs/ldapscert.pem
TLS_REQCERT never

the certificate is self-signed

On the slave, if I try the following command:

ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v

everything is ok but when I try to use TLS in replication, the process goes wrong.
In the Provider log:

connection_get(16)
connection_get(16): got connid=1030
connection_read(16): checking for input on id=1030
connection_read(16): TLS accept failure error=-1 id=1030, closing
connection_closing: readying conn=1030 sd=16 for close
connection_close: conn=1030 sd=16
daemon: activity on 1 descriptor
daemon: activity on:


In the Consumer log:

slapd[6508]: =>do_syncrepl rid=000
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/> Warning, ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/> DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=000 rc -1 retrying (3 retries left)
daemon: activity on 1 descriptor
daemon: activity on:

Help, I do not know where to turn !!!!
Thanks



Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma

cell. 3466147165
tel.  0657060500

email:stefano.elmopi@sociale.it<mailto:email%3Astefano.elmopi@sociale.it>


"Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003),
le informazioni contenute nella presente @mail sono di natura riservata e destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere,
copiare, usare o diffondere il contenuto della presente @mail senza autorizzazione.
Se avete ricevuto questa @mail per errore, siete pregati di rispedire la stessa al mittente.
Grazie"