[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slurpd replication over TLS
It probably has nothing to do with your certs. TLS negotiates an SSL/TLS
session over the regular LDAP port (389), it does not work with an LDAPS
listener (port 636).
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Sarah Hollings
> Hi,
>
> Having a few problems trying to get secure replication working.
>
> I've compiled 2.0.23 from source. Two servers behind a firewall have
> been working quite well for a year using 2.0.23 since I built
> them, as a
> backend to postfix and also providing auth for web and our CVS.
>
> Now I have a rackmount box out on the Internet and I'm trying to
> replicate to it over TLS. No dice.
>
> I saw this:
>
> http://www.openldap.org/lists/openldap-software/200207/msg00065.html
>
> <blockquote>
> You cannot use self-signed certificates for TLS services. You must
> create one self-signed CA certificate and use that
> certificate to sign
> your server certificates. On each machine, you must install the CA
> certificate and tell the LDAP library where the CA cert is. You must
> also install and configure the individual server certificates
> for each
> server.
> </blockquote>
>
> So I set up a CA and went through the process of signing the
> certificate, but I still get "Can't contact LDAP server" in the debug
> output from slurpd, even when straight afterward I can run ldapsearch
> from the same command line that I ran slurpd from, to the same server
> over ldaps, and it works fine.
>
> On the slave server I see this debug output when slurpd tries
> to connect:
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:634
>
> Replica stanza looks like this on the master:
> replica host=metacortex.humanfactors.uq.edu.au:636 tls=yes
> binddn="cn=Replicator,dc=humanfactors,dc=uq,dc=edu,dc=au"
> bindmethod=simple credentials=changed_to_protect_the_guilty
>
> Now, I'm not sure how to "tell the LDAP library where the CA
> cert is".
> I've tried putting TLS_CACERT in /etc/ldap.conf, but I'm not
> convinced
> that slurpd reads that file as it gets its configuration from
> /etc/slapd.conf.
>
> Or the problem could be unrelated to the certs.
>
> Any help appreciated.
>
> Sarah Hollings