[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slurp SSL replication

To: Mike Nuss <mnuss@ammasso.com>
Subject: Re: Slurp SSL replication
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 28 Oct 2004 22:12:07 +0200
Cc: openldap-software@OpenLDAP.org
References: <41814F36.1080307@ammasso.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Mike Nuss wrote:

Hi,
I'm trying to set up slurp replication, which is something I haven't done before. I have it working fine over port 389 with plaintext, but for obvious security reasons I would like to have that traffic encrypted. I'm using openldap 2.0.27, which I'm told doesn't support the replica uri=ldaps://host.domain.tld/ syntax, so my master slapd.conf looks like this:

replica host=x.ammasso.com:636 tls=yes bindmethod=simple credentials=secret binddn="cn=x,o=Ammasso,c=US"

This topic has been discussed hundreds of times; please check in the archives. I don't know if it works with 2.0, though, but TLS is performed on port 389 (or at least on a port that listens for plain ldap, not ldaps). So don't use ":636", leave it to ":389", and use tls=crutucal, otherwise, your connection will go unencrypted with little warnings if TLS fails.

p.

Again, this works fine if I do it over port 389, but with the above config it fails. The debug output on the slave looks like this:

daemon: new connection on 8 daemon: conn=264 fd=8 connection from IP=x.x.x.x:40468 (IP=0.0.0.0:636) accepted. daemon: added 8r daemon: activity on: daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=264 connection_read(8): checking for input on id=264 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 1d 02 01 01 77 18 80 16 31 2e 0....w...1. TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:585 connection_read(8): TLS accept error error=-1 id=264, closing connection_closing: readying conn=264 sd=8 for close connection_close: conn=264 sd=8 daemon: removing 8
(Some irrelevant items have been x'ed out for the sake of privacy.)
What's with the TLS error? I'm sure the certificates are fine because I'm able to query with ldaps to both servers.
Thanks,
Mike Nuss

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Slurp SSL replication
  - From: Mike Nuss <mnuss@ammasso.com>

References:
- Slurp SSL replication
  - From: Mike Nuss <mnuss@ammasso.com>

Prev by Date: Slurp SSL replication
Next by Date: Re: Slurp SSL replication
Index(es):
- Chronological
- Thread