[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slurpd over SSL revisited



I read the emails from last month regarding how to do this, but still can't get it working right. I am trying to replicate with an openldap server via SSL.

When I try to update the master I get the flowing from slurp when running in debug:
Initializing session to godel.musc.edu:636
bind to godel.musc.edu:636 as cn=Manager,o=MUSC,c=US (simple)
ber_get_next failed.
Error: ldap_simple_bind_s for godel.musc.edu:636 failed: Can't contact LDAP server



In one of the emails from last month on this topic I saw some people adding "tls=on" or "tls=hard" in their replica setting. When I add that I get the following when I edit and attribute:
Initializing session to godel.musc.edu:636
ber_get_next failed.
Warning: ldap_start_tls failed: Can't contact LDAP server (81)
Initializing session to godel.musc.edu:636
bind to godel.musc.edu:636 as cn=Manager,o=MUSC,c=US (simple)
ber_get_next failed.
Error: ldap_simple_bind_s for godel.musc.edu:636 failed: Can't contact LDAP server



I was able to use stunnel to create a "non-secure" port to route to the secure port on the slave machine, and it does work, but not if I go straight to the slave server. I am using openldap 2.1.22, though I have the same results with openldap 2.1.25. I am wondering if it has anything to do with using "SSLv2" instead of "SSLv3" which many people are using; however, I changed the slapd.conf on my slave to TLSCiperSuite to "HIGH:MEDIUM:+SSLv3" with no noticeable change in results. Also I do see attempts to connect in the logs on the Slave server from the Slurp server. Any thoughts? Thanks in advance for any help you can provide.


My Master server slapd.conf is:
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
pidfile         /usr/local/openldap/var/slapd.pid
argsfile        /usr/local/openldap/var/slapd.args
access to attr=userPassword
       by anonymous auth
       by self read
       by * none

access to *
       by * read
       by dn="cn=Manager,o=MUSC,c=US" write
idletimeout     360
sizelimit       250
loglevel        256
allow           bind_v2
database        bdb
suffix          "o=MUSC,c=US"
rootdn          "cn=Manager,o=MUSC,c=US"
rootpw          PASSWORDHERE
directory       /usr/local/openldap/var/openldap-data
replogfile /usr/local/openldap/var/openldap-slurp/slapd.replog
replica host=godel.musc.edu:636
       binddn="cn=Manager,o=MUSC,c=US"
       bindmethod=simple
       credentials=SLAVEPASSWORDHERE
index uid,cn,mail,sn,givenName eq,sub
index objectClass eq

And my Slave server sladpd.conf file is:
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
pidfile         /usr/local/openldap/var/slapd.pid
argsfile        /usr/local/openldap/var/slapd.args
access to attr=userPassword
       by anonymous auth
       by self read
       by * none
access to *
       by anonymous auth
       by users read
       by dn="cn=Manager,o=MUSC,c=US" write
idletimeout     360
sizelimit       250
loglevel        256
allow           bind_v2
database        bdb
suffix          "o=MUSC,c=US"
rootdn          "cn=Manager,o=MUSC,c=US"
rootpw          PASSWORDHERE
updatedn        cn=Manager,o=MUSC,c=US
directory       /usr/local/openldapSSL/var/openldap-data
index uid,cn,mail,sn,givenName eq,sub
index objectClass eq