[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd silly error ?



Pierangelo Masarati wrote:

jehan.procaccia wrote:

Retrying operation for DN uid=test,ou=People,dc=int-evry,dc=fr on replica calaz.int-evry.fr:9389
Error: ldap_simple_bind_s for calaz.int-evry.fr:9389 failed: Can't contact LDAP server


However when I search the slave it responds OK:
$ ldapsearch -x uid=test -h localhost -p 9389 -D "cn=replicator,ou=System,dc=int-evry,dc=fr"" -W homePostalAddress -LLL

My first guess is that the client works because you use "localhost" while slurpd doesn't because you use a fully qualified name, and (a) the name may not resolve to the right host, or (b) the slave might not be listening on the appropriate listener, e.g. it was started with -h "ldap://localhost:9389"; or anything like that.


Indeed ! I knew it should be something silly ... Now I start my slave this way:
-h '"ldap://calaz.int-evry.fr:9389/ ldaps://calaz.int-evry.fr:9636/"
and it's OK ;-), thanks !.


Second step now (this was my original purpose ) I want to impose starttls=critical in replication
unfortunaltly I get slurpd :
Error: ldap_start_tls failed: Connect error (-11)
Retrying operation for DN uid=test,ou=People,dc=int-evry,dc=fr on replica calaz.int-evry.fr:9389
request 1 done
TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect.


on both master and slave slapd.conf has:
TLSCACertificateFile /etc/x509/ca.crt
TLSCertificateFile /etc/x509/slapd-calaz.crt
TLSCertificateKeyFile /etc/x509/slapd-calaz.key

The ca.crt is our "pki" root certificate who signed slapd-calaz.crt

Master:
replica host=calaz.int-evry.fr:9389
 binddn="cn=replicator,ou=System,dc=int-evry,dc=fr"
 bindmethod=simple   credentials=secret starttls=critical
replogfile /usr/local/openldap-2.2.20-1/var/lib/ldap/replica/replogfile

Slave:
updatedn "cn=replicator,ou=System,dc=int-evry,dc=fr"
updateref "ldap://calaz.int-evry.fr:389";

$ tail -3  /etc/openldap/ldap.conf
HOST calaz.int-evry.fr
BASE dc=int-evry,dc=fr
TLS_CACERT /etc/x509/ca.crt

However a startTLS ldapsearch (-ZZ) works fine
$ ldapsearch -x uid=test -h calaz.int-evry.fr -p 9389 -D "cn=admin,dc=int-evry,dc=fr" -W homePostalAddress -LLL -ZZ
Enter LDAP Password:
dn: uid=test,ou=People,dc=int-evry,dc=fr
homePostalAddress: 9 fev 8:55


something silly again ?

p.




SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497