[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Slurpd over SSL
Hello List,
I'll appreciate your help on the following issue.
I'm trying to set up slurpd replication over ssl.
There is one master and only one slave on my lab env.
Both are serving only ssl enabled clients pretty smoothly that
the ldapsearch from one connects, searchs, and adds to each other,
using CA Issued Certificate, just like the OpenLDAP TLS/SSL How-to
and like many Howard Chu answer posts :-)
So, it does not seems to be related to using self signed,
but I'm getting this slurpd debbug messages:
"Error: ldap_start_tls failed: Can't contact LDAP server (81)"
Also, the replication runs finely on ldap:// manner (simple
and insecure)
I read a paragraph on item 7.0 of the mentined how to wich says:
"Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error"
So, is that a way to start slurpd directly with ssl ?
Is that the point or I'd missed some thig ?
# My ldap.conf:
TLS_CACERT /var/myca/demoCA/cacert.pem
TLS_REQCERT never
# My slapd.conf (the relevant part):
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/etc/openldap/schema/core.schema
include /usr/etc/openldap/schema/cosine.schema
include /usr/etc/openldap/schema/nis.schema
include /usr/etc/openldap/schema/inetorgperson.schema
include /usr/etc/openldap/schema/misc.schema
include /usr/etc/openldap/schema/openldap.schema
access to *
by self write
by users read
by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
TLSVerifyClient never
database ldbm
replica host=angra.heavymetal.com:636 tls=critical
binddn="cn=metallord,o=heavymetal.com"
bindmethod=simple credentials=mypass
replogfile /usr/var/openldap-data/replog/changes.log
suffix "o=heavymetal.com"
rootdn "cn=metallord,o=heavymetal.com"
rootpw mypass
directory /usr/var/openldap-data
index objectClass eq
# ldapsearch results:
ldapsearch -x -D "cn=metallord,o=heavymetal.com" -W \
-b o=heavymetal.com -s sub -H
ldaps://angra.heavymetal.com \
-v '(objectclass=*)'
ldap_initialize(
ldaps://angra.heavymetal.com )
Enter LDAP Password:
filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <o=heavymetal.com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
# heavymetal.com
dn: o=heavymetal.com
objectClass: top
objectClass: organization
o: heavymetal.com
description: Heavy Metal Land
# computers, heavymetal.com
dn: ou=computers,o=heavymetal.com
ou: computers
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Yahoo! Mail - 6MB, anti-spam e antivírus gratuito. Crie sua conta agora!