[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL failover problem



Does anyone know how to configure a server that uses nss_ldap & pam_ldap
for authentication and is also an LDAP server to failover to another
LDAP server if it's own ldap server dies?

I've got an OpenLDAP master server and an OpenLDAP slave server.  I use
TLS to encrypt replication traffic between them and it works just fine. 
I can also connect to each of them with TLS or SSL capable clients.  SSL
connections with LDAP Browser\Editor v2.8.2
(http://www.iit.edu/~gawojar/ldap/), and TLS connections with GQ
(http://biot.com/gq/), so I know SSL & TLS are working properly.

When I tried to setup a failover configuration, however, I ran into all
sorts of problems.

Here's my understanding of how to configure failover ...

1) put space separated ldap server on a single "host" line in
/etc/ldap.conf

host localhost ldap2.virtc.com

OR

2) put space separated URI's on a single "uri" line in /etc/ldap.conf

uri ldap://localhost ldap://ldap2.virtc.com

I was never able to get it to work consistently with the "uri" format,
but it does just fine with the "host" format.

I have ssl set to off in /etc/ldap.conf.  That's fine as long as I'm
authenticating via localhost, but if the local ldap server dies, and
nss_ldap and pam_ldap fall back on using ldap2.virtc.com, all of the
traffic will be un-encrypted across the network.  That's bad, so I
wanted to turn on TLS or ssl.

I tried this in /etc/ldap.conf:
host ldap1.virtc.com ldap2.virtc.com
ssl on

With that setting, initial failover works.  If I shut down the ldap
server on ldap1.virtc.com, nss_ldap and pam_ldap successfully connect to
ldap2.virtc.com over ssl for auth information.

However, when I restart the ldap server on ldap1.virtc.com, nss_ldap and
pam_ldap don't properly revert to using ldap1.virtc.com.  In fact, a
'getent passwd' on ldap1.virtc.com core dumps after providing the
contents of /etc/passwd.  Here's what the output looks like:

---------------
getent: cyrus.c:469: ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx
== ((void *)0)' failed.
Aborted (core dumped)
-----------------

Very curious since I'm using basic authentication, not sasl.

I can fix this by setting
ssl off
in /etc/ldap.conf, restarting ldap on ldap1.virtc.com, and then setting
ssl on
in /etc/ldap.conf.

Anybody know what's going on here?

This is Mandrake 9.2 with the following packages:
libldap2-2.1.22-5mdk
nss_ldap-207-4.1.92mdk
openldap-2.1.22-5mdk
openldap-clients-2.1.22-5mdk
openldap-servers-2.1.22-5mdk
pam_ldap-164-4.1.92mdk

-- 
-----------------------------------------------------------
Doug Wilson
Project Director - Information Systems
Virtual Technology Corporation
703-658-7050
dwilson@virtc.com