[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Replication with slurpd - problems using TLS



Hi Quanah - I will give it a shot, but I think I am very confused as to
what is going on with openldap/SSL/TLS in general.  I don't have ldaps
turned on at all and TLS works fine over port 389 for ssh user
authentication
when the user is in ldap.  And actually, that was the only way I was ever
able to get TLS working, was to basically abandon ldaps and port 636 and
just run ldap on 389 with start_tls in the /etc/ldap.conf file.  So I am
very preplexed when you tell me that slurpd needs to do TLS over port 636
(and this also seems to run contrary to the way I it is done in the O'Reilly
LDAP book).  So I will try it but I am very confused as to why :)

If anyone else has any insight into getting TLS turned on with slurpd I 
would really appreciate it, I have been away from my LDAP project for a 
few weeks and am back at this brick wall now trying to scale over it.
Thanks!

Michael

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Friday, May 23, 2003 11:05 AM
To: Lawrence, Mike (White Plains); openldap-software@OpenLDAP.org
Subject: Re: Replication with slurpd - problems using TLS




--On Friday, May 23, 2003 10:36 AM -0400 "Lawrence, Mike (White Plains)" 
<Mike.Lawrence@starwoodhotels.com> wrote:

>
> Hi - I am in the process of trying to get replication working between a
> master and one slave instance
> using slurpd.  I'm using Solaris 8, with the padl pam and nss ldap
> modules - at this point just to let users
> authenticate against ldap when they ssh in.  Replication works now without
> TLS, but if I try turning it on it
> fails, and this is what I see show up in the slave's log file:
>
> May 23 10:03:08 wp-app3 slapd[2237]: [ID 733216 local4.debug]
> connection_read(12): TLS accept
> error error=-1 id=7, closing
>
> slurpd isn't logging any .rej files when the updates fail to propogate;
> but I do see the TLS errors
> from slapd.
>
> Both master and slave are configured identically.  I can authenticate
> against both with ssh using TLS.
> It just seems to be broken now for some reason with slurpd and
> replication.
>
> Their slapd.conf files look like this for the new replication pieces:
>
> master:
> ----------
> replogfile      /opt/csw/var/openldap-slurp/replica/slapd.replog
>
> replica       host=10.14.12.33:389
>                 suffix="dc=webtech,dc=com"
>                 binddn="cn=replica,dc=webtech,dc=com"
>                 credentials=secret
>                 bindmethod=simple
> 	    # tls=yes   -> if I turn this on it breaks
>
> slave:
> -------
> rootdn		"cn=replica,dc=webtech,dc=com"
> rootpw		{crypt}JOEAfuddHpilE
> updatedn	"cn=replica,dc=webtech,dc=com"
> updateref	ldap://10.14.12.32

Mark,

Have you tried changing the updateref to:

ldaps://10.14.12.32

?

--Quanah


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.