[Date Prev][Date Next] [Chronological] [Thread] [Top]

Again problems with slurpd



Hi everybody,

after having changed my certificates for SSL/TLS i was happy to 
try replication with v2.1.3 again.

Unluckily with no success.

First, my configuration-files :

1) replication server (slapd-replication.conf):

------------------snipp------
include /usr/local/ldap/etc/openldap/schema/core.schema
include /usr/local/ldap/etc/openldap/schema/cosine.schema
include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/ldap/etc/openldap/schema/nis.schema
include /usr/local/ldap/etc/openldap/schema/qmail.schema
include /usr/local/ldap/etc/openldap/schema/samba.schema
include /usr/local/ldap/etc/openldap/schema/krb5-kdc.schema
include /usr/local/ldap/etc/openldap/schema/java.schema
include /usr/local/ldap/etc/openldap/schema/openldap.schema
include /usr/local/ldap/etc/openldap/schema/turbo.schema
include /usr/local/ldap/etc/openldap/schema/netscape-profile.schema

# TLS-certificates
TLSCertificateFile      /usr/local/ldap/mycert/slapd.crt
TLSCertificateKeyFile   /usr/local/ldap/mycert/slapd.key
TLSCACertificateFile    /usr/local/ldap/mycert/ca.crt

# SASL-authentification
srvtab     /etc/krb5.keytab
sasl-host  486dx66.hrnet.de
sasl-realm HRNET.DE

saslRegexp
uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de


pidfile         /usr/local/ldap/var/slapd-replica.pid
argsfile        /usr/local/ldap/var/slapd-replica.args
database        bdb
suffix          "dc=hrnet,dc=de"
rootdn          "cn=root,dc=hrnet,dc=de"
rootpw something

#### UPDATE-account ###########################
updatedn   "uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"
###############################################

directory       /usr/local/ldap/var/openldap-data-replica
index   objectClass,rid,uid,uidNumber,gidNumber,lmPassword,ntPassword  
pres,eq
index   memberUid,ou pres,eq,sub

access to attr=uid,dc,ou,o
   by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" write
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
   by dn="uid=root,dc=hrnet,dc=de" read
   by anonymous search
   by * none

access to attr=userPassword,lmPassword,ntPassword
   by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" write
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
   by dn="uid=root,dc=hrnet,dc=de" read
   by anonymous auth
   by * none

access to *
   by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"   write
   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
   by dn="uid=root,dc=hrnet,dc=de" read
   by * read


database        monitor
access to *
  by * read

------------------snipp------

2) ldap.conf 

------------------snipp------
BASE dc=hrnet,dc=de
HOST ldap.hrnet.de:5389 ldaps.hrnet.de:5636

binddn o=myorganization,dc=hrnet,dc=de

bindpw something

rootbinddn cn=root,dc=hrnet,dc=de
DEREF always
TLS_CACert   /usr/local/ldap/mycert/ca.crt
TLS hard

------------------snipp------

Here's what slurpd says, when it comes to replication :

------------------snipp------
Retrying operation for DN
uid=gast,ou=Users,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de
on replica 486dx66.hrnet.de:5389
Initializing session to 486dx66.hrnet.de:5389
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 486dx66.hrnet.de:5389
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 192.168.1.3:5389
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
ldap_int_sasl_open: host=486dx66.hrnet.de
TLS trace: SSL_connect:before/connect initialization
tls_write: want=130, written=130
  0000:  80 80 01 03 01 00 57 00  00 00 20 00 00 16 00 00   ......W...
.....
  0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 07 00 00 05  
.........f......
  0020:  00 00 04 05 00 80 03 00  80 01 00 80 08 00 80 00  
................
  0030:  00 65 00 00 64 00 00 63  00 00 62 00 00 61 00 00  
.e..d..c..b..a..
  0040:  60 00 00 15 00 00 12 00  00 09 06 00 40 00 00 14  
`...........@...
  0050:  00 00 11 00 00 08 00 00  06 00 00 03 04 00 80 02  
................
  0060:  00 80 7d 49 b4 19 20 7a  86 9f d1 07 e1 8d c4 f9   ..}I..
z........
  0070:  29 21 f4 e5 bb 9b 86 09  14 35 ec 37 2c 54 66 eb  
)!.......5.7,Tf.
  0080:  9a 5d                                              .]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0

TLS: can't connect.
ldap_err2string
Warning: ldap_start_tls failed: Can't contact LDAP server (81)
bind to 486dx66.hrnet.de as - via GSSAPI (SASL)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
------------------snipp------

And here's what the replication server says :

------------------snipp------
daemon: added 8r
daemon: added 9r
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 15
daemon: conn=0 fd=15 connection from IP=192.168.1.3:4590
(IP=192.168.1.3:5389) accepted.
daemon: added 15r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=0
connection_read(15): checking for input on id=0
ber_get_next
ldap_read: want=9, got=9
  0000:  80 80 01 03 01 00 57 00  00                        ......W..
ber_get_next on fd 15 failed errno=34 (Numerical result out of range)
connection_read(15): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15
daemon: removing 15
conn=0 fd=15 closed
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL

------------------snipp------

It seems, that there's an error with TLS, but i can't see,
what's wrong.
Any suggestions/hints from the list ?

greets Harry