[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slurpd replication over TLS
Hi,
Having a few problems trying to get secure replication working.
I've compiled 2.0.23 from source. Two servers behind a firewall have
been working quite well for a year using 2.0.23 since I built them, as a
backend to postfix and also providing auth for web and our CVS.
Now I have a rackmount box out on the Internet and I'm trying to
replicate to it over TLS. No dice.
I saw this:
http://www.openldap.org/lists/openldap-software/200207/msg00065.html
<blockquote>
You cannot use self-signed certificates for TLS services. You must
create one self-signed CA certificate and use that certificate to sign
your server certificates. On each machine, you must install the CA
certificate and tell the LDAP library where the CA cert is. You must
also install and configure the individual server certificates for each
server.
</blockquote>
So I set up a CA and went through the process of signing the
certificate, but I still get "Can't contact LDAP server" in the debug
output from slurpd, even when straight afterward I can run ldapsearch
from the same command line that I ran slurpd from, to the same server
over ldaps, and it works fine.
On the slave server I see this debug output when slurpd tries to connect:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:634
Replica stanza looks like this on the master:
replica host=metacortex.humanfactors.uq.edu.au:636 tls=yes
binddn="cn=Replicator,dc=humanfactors,dc=uq,dc=edu,dc=au"
bindmethod=simple credentials=changed_to_protect_the_guilty
Now, I'm not sure how to "tell the LDAP library where the CA cert is".
I've tried putting TLS_CACERT in /etc/ldap.conf, but I'm not convinced
that slurpd reads that file as it gets its configuration from
/etc/slapd.conf.
Or the problem could be unrelated to the certs.
Any help appreciated.
Sarah Hollings