[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL failover problem



Thanks for the response.  The slapd args are:

/usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:///

Paths to certificates are setup properly in /etc/openldap/slapd.conf:
TLSCertificateFile      /etc/ssl/openldap/slapd-cert
TLSCertificateKeyFile   /etc/ssl/openldap/slapd-key
TLSCACertificateFile    /etc/ssl/openldap/ca.cert

I'm using a self-signed certificate, so I have set 
TLS_REQCERT allow
in /etc/ldap.conf.

The only other SSL/TLS related setting I have in my /etc/ldap.conf is:
ssl on

With no failover in place SSL/TLS work just fine ... I can confirm that
by connecting to the ldap server over SSL with LDAP Browser/Editor and
by connecting with TLS using GQ.

It's only after switching to the failover server, and trying to switch
back to the primary ldap server that I run into a problem.

Maybe I need to use an explicit TLS_CACERT or TLS_CACERTDIR (I'm using
more than 1 CA since each ldap server uses a self-signed certificate)
entry?

How would I set logging in /etc/openldap/slapd.conf so that I could see
if it was a certificate problem?

On Wed, 2004-03-10 at 01:21, Dieter Kluenter wrote:
> H,
> 
> Doug Wilson <dwilson@virtc.com> writes:
> 
> [...]
> > I've got an OpenLDAP master server and an OpenLDAP slave server.  I use
> > TLS to encrypt replication traffic between them and it works just fine. 
> > I can also connect to each of them with TLS or SSL capable clients.  SSL
> > connections with LDAP Browser\Editor v2.8.2
> > (http://www.iit.edu/~gawojar/ldap/), and TLS connections with GQ
> > (http://biot.com/gq/), so I know SSL & TLS are working properly.
> >
> > When I tried to setup a failover configuration, however, I ran into all
> > sorts of problems.
> >
> > Here's my understanding of how to configure failover ...
> [...]
> > I have ssl set to off in /etc/ldap.conf.  That's fine as long as I'm
> > authenticating via localhost, but if the local ldap server dies, and
> > nss_ldap and pam_ldap fall back on using ldap2.virtc.com, all of the
> > traffic will be un-encrypted across the network.  That's bad, so I
> > wanted to turn on TLS or ssl.
> >
> > I tried this in /etc/ldap.conf:
> > host ldap1.virtc.com ldap2.virtc.com
> > ssl on
> >
> > With that setting, initial failover works.  If I shut down the ldap
> > server on ldap1.virtc.com, nss_ldap and pam_ldap successfully connect to
> > ldap2.virtc.com over ssl for auth information.
> >
> > However, when I restart the ldap server on ldap1.virtc.com, nss_ldap and
> > pam_ldap don't properly revert to using ldap1.virtc.com.  In fact, a
> > 'getent passwd' on ldap1.virtc.com core dumps after providing the
> > contents of /etc/passwd.  Here's what the output looks like:
> [...]
> > Very curious since I'm using basic authentication, not sasl.
> >
> > I can fix this by setting
> > ssl off
> > in /etc/ldap.conf, restarting ldap on ldap1.virtc.com, and then setting
> > ssl on
> > in /etc/ldap.conf.
> >
> > Anybody know what's going on here?
> 
> What are your slapd setup parameters?
> ./slapd -h "ldap:/// ldaps:///"
> Are the paths to certificates set properly in /etc/ldap.conf and
> /etc/openldap/ldapconf? 
> 
> -Dieter
-- 
-----------------------------------------------------------
Doug Wilson
Project Director - Information Systems
Virtual Technology Corporation
703-658-7050
dwilson@virtc.com