[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Again problems with slurpd
Hi everybody,
after having changed my certificates for SSL/TLS i was happy to
try replication with v2.1.3 again.
Unluckily with no success.
First, my configuration-files :
1) replication server (slapd-replication.conf):
------------------snipp------
include /usr/local/ldap/etc/openldap/schema/core.schema
include /usr/local/ldap/etc/openldap/schema/cosine.schema
include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/ldap/etc/openldap/schema/nis.schema
include /usr/local/ldap/etc/openldap/schema/qmail.schema
include /usr/local/ldap/etc/openldap/schema/samba.schema
include /usr/local/ldap/etc/openldap/schema/krb5-kdc.schema
include /usr/local/ldap/etc/openldap/schema/java.schema
include /usr/local/ldap/etc/openldap/schema/openldap.schema
include /usr/local/ldap/etc/openldap/schema/turbo.schema
include /usr/local/ldap/etc/openldap/schema/netscape-profile.schema
# TLS-certificates
TLSCertificateFile /usr/local/ldap/mycert/slapd.crt
TLSCertificateKeyFile /usr/local/ldap/mycert/slapd.key
TLSCACertificateFile /usr/local/ldap/mycert/ca.crt
# SASL-authentification
srvtab /etc/krb5.keytab
sasl-host 486dx66.hrnet.de
sasl-realm HRNET.DE
saslRegexp
uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de
pidfile /usr/local/ldap/var/slapd-replica.pid
argsfile /usr/local/ldap/var/slapd-replica.args
database bdb
suffix "dc=hrnet,dc=de"
rootdn "cn=root,dc=hrnet,dc=de"
rootpw something
#### UPDATE-account ###########################
updatedn "uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"
###############################################
directory /usr/local/ldap/var/openldap-data-replica
index objectClass,rid,uid,uidNumber,gidNumber,lmPassword,ntPassword
pres,eq
index memberUid,ou pres,eq,sub
access to attr=uid,dc,ou,o
by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" write
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
by dn="uid=root,dc=hrnet,dc=de" read
by anonymous search
by * none
access to attr=userPassword,lmPassword,ntPassword
by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" write
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
by dn="uid=root,dc=hrnet,dc=de" read
by anonymous auth
by * none
access to *
by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" write
by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de" read
by dn="uid=root,dc=hrnet,dc=de" read
by * read
database monitor
access to *
by * read
------------------snipp------
2) ldap.conf
------------------snipp------
BASE dc=hrnet,dc=de
HOST ldap.hrnet.de:5389 ldaps.hrnet.de:5636
binddn o=myorganization,dc=hrnet,dc=de
bindpw something
rootbinddn cn=root,dc=hrnet,dc=de
DEREF always
TLS_CACert /usr/local/ldap/mycert/ca.crt
TLS hard
------------------snipp------
Here's what slurpd says, when it comes to replication :
------------------snipp------
Retrying operation for DN
uid=gast,ou=Users,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de
on replica 486dx66.hrnet.de:5389
Initializing session to 486dx66.hrnet.de:5389
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 486dx66.hrnet.de:5389
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 192.168.1.3:5389
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
ldap_int_sasl_open: host=486dx66.hrnet.de
TLS trace: SSL_connect:before/connect initialization
tls_write: want=130, written=130
0000: 80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 ......W...
.....
0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05
.........f......
0020: 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00
................
0030: 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00
.e..d..c..b..a..
0040: 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14
`...........@...
0050: 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02
................
0060: 00 80 7d 49 b4 19 20 7a 86 9f d1 07 e1 8d c4 f9 ..}I..
z........
0070: 29 21 f4 e5 bb 9b 86 09 14 35 ec 37 2c 54 66 eb
)!.......5.7,Tf.
0080: 9a 5d .]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_err2string
Warning: ldap_start_tls failed: Can't contact LDAP server (81)
bind to 486dx66.hrnet.de as - via GSSAPI (SASL)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
------------------snipp------
And here's what the replication server says :
------------------snipp------
daemon: added 8r
daemon: added 9r
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 15
daemon: conn=0 fd=15 connection from IP=192.168.1.3:4590
(IP=192.168.1.3:5389) accepted.
daemon: added 15r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 15r
daemon: read activity on 15
connection_get(15)
connection_get(15): got connid=0
connection_read(15): checking for input on id=0
ber_get_next
ldap_read: want=9, got=9
0000: 80 80 01 03 01 00 57 00 00 ......W..
ber_get_next on fd 15 failed errno=34 (Numerical result out of range)
connection_read(15): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15
daemon: removing 15
conn=0 fd=15 closed
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
------------------snipp------
It seems, that there's an error with TLS, but i can't see,
what's wrong.
Any suggestions/hints from the list ?
greets Harry