[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Slurpd over SSL revisited
I read the emails from last month regarding how to do this, but still
can't get it working right. I am trying to replicate with an openldap
server via SSL.
When I try to update the master I get the flowing from slurp when
running in debug:
Initializing session to godel.musc.edu:636
bind to godel.musc.edu:636 as cn=Manager,o=MUSC,c=US (simple)
ber_get_next failed.
Error: ldap_simple_bind_s for godel.musc.edu:636 failed: Can't contact
LDAP server
In one of the emails from last month on this topic I saw some people
adding "tls=on" or "tls=hard" in their replica setting. When I add that
I get the following when I edit and attribute:
Initializing session to godel.musc.edu:636
ber_get_next failed.
Warning: ldap_start_tls failed: Can't contact LDAP server (81)
Initializing session to godel.musc.edu:636
bind to godel.musc.edu:636 as cn=Manager,o=MUSC,c=US (simple)
ber_get_next failed.
Error: ldap_simple_bind_s for godel.musc.edu:636 failed: Can't contact
LDAP server
I was able to use stunnel to create a "non-secure" port to route to the
secure port on the slave machine, and it does work, but not if I go
straight to the slave server. I am using openldap 2.1.22, though I have
the same results with openldap 2.1.25. I am wondering if it has
anything to do with using "SSLv2" instead of "SSLv3" which many people
are using; however, I changed the slapd.conf on my slave to
TLSCiperSuite to "HIGH:MEDIUM:+SSLv3" with no noticeable change in
results. Also I do see attempts to connect in the logs on the Slave
server from the Slurp server. Any thoughts? Thanks in advance for any
help you can provide.
My Master server slapd.conf is:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
pidfile /usr/local/openldap/var/slapd.pid
argsfile /usr/local/openldap/var/slapd.args
access to attr=userPassword
by anonymous auth
by self read
by * none
access to *
by * read
by dn="cn=Manager,o=MUSC,c=US" write
idletimeout 360
sizelimit 250
loglevel 256
allow bind_v2
database bdb
suffix "o=MUSC,c=US"
rootdn "cn=Manager,o=MUSC,c=US"
rootpw PASSWORDHERE
directory /usr/local/openldap/var/openldap-data
replogfile /usr/local/openldap/var/openldap-slurp/slapd.replog
replica host=godel.musc.edu:636
binddn="cn=Manager,o=MUSC,c=US"
bindmethod=simple
credentials=SLAVEPASSWORDHERE
index uid,cn,mail,sn,givenName eq,sub
index objectClass eq
And my Slave server sladpd.conf file is:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
pidfile /usr/local/openldap/var/slapd.pid
argsfile /usr/local/openldap/var/slapd.args
access to attr=userPassword
by anonymous auth
by self read
by * none
access to *
by anonymous auth
by users read
by dn="cn=Manager,o=MUSC,c=US" write
idletimeout 360
sizelimit 250
loglevel 256
allow bind_v2
database bdb
suffix "o=MUSC,c=US"
rootdn "cn=Manager,o=MUSC,c=US"
rootpw PASSWORDHERE
updatedn cn=Manager,o=MUSC,c=US
directory /usr/local/openldapSSL/var/openldap-data
index uid,cn,mail,sn,givenName eq,sub
index objectClass eq