[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slurpd over ssl not tls
Hello list,
Having searched and read the archive but still do not get a clue for my
problem. Please see if you could provide a clue for troubleshooting. I m
trying to configure replication between hosts lda01 and lda03, (OL
2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 replication was fine
and I can do following to prove ldaps is working (slapd starts with -h
"ldap:/// ldaps:///")
lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda03.mydomain.com (over 636) or lda01 # ldapsearch
-x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted or
not, -d7 can see tls_read:....)
lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda01.mydomain.com (over 636) or lda03 # ldapsearch
-x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted or
not, -d7 can see tls_read:....)
I can use ldapadmin tools to connect the servers over port 636 too,
openssl verify on both servers says
# openssl s_client -connect lda03.mydomain.com:636 -showcerts -state
-CAfile /usr/local/openssl/misc/var/ca/cacert.pem
......
Verify return code: 0 (ok)
# openssl s_client -connect lda03.mydomain.com:636
......
Verify return code: 19 (self signed certificate in certificate
chain)
but when start the slurpd, the log complains
[lda01 ~]# /usr/local/openldap/libexec/slurpd -f
/usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d
1
@(#) $OpenLDAP: slurpd 2.3.7 (Sep 7 2005 13:42:42) $
root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Warning: saved state for 10.1.4.133:389, not a known replica
Warning: unknown replica 10.1.4.133:389 found in replication log Replica
lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip
repl record for ou=test123,ou=profile,o=mydomain.com (not mine)
ldap_create
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP lda03.mydomain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.1.4.133:636
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
Warning: unknown replica lda03.mydomain.com:0 found in replication log
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=ca/ST=ontario/L=tor onto/O=my
corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada.c
om, issuer:
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
ailAddress=ran.li@sprint-canada.com
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
contact LDAP server
ldap_unbind
all configuration use the same cacert.pem but
servercert.pem/serverkey.pem are different.
on master(lda01)
slapd.conf
...
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
...
replogfile /var/log/slapd.replog
replica uri=ldaps://lda03.mydomain.com
suffix="o=mydomain.com"
binddn="cn=replica,ou=profile,o=mydomain.com"
bindmethod=simple
credentials=replica
...
ldap.conf
...
tls_reqcert allow
tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
tls_cacertdir /usr/local/openssl/misc/var/ca
on slave(lda03)
slapd.conf
...
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
...
updatedn "cn=replica,ou=profile,o=mydomain.com"
updateref ldaps://lda01.mydomain.com
slurpd over ssl is not working, however, below configuration works, not
sure if I can say slurpd over tls is working,
on master(lda01)
slapd.conf
...
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
...
replogfile /var/log/slapd.replog
replica host=lda03.mydomain.com:389
suffix="o=mydomain.com"
binddn="cn=replica,ou=profile,o=mydomain.com"
credentials=replica
bindmethod=simple
tls=yes
ldap.conf
...
tls_reqcert allow
tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
tls_cacertdir /usr/local/openssl/misc/var/ca
on slave(lda03)
slapd.conf
...
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
...
updatedn "cn=replica,ou=profile,o=mydomain.com"
updateref ldaps://lda01.mydomain.com
Please comment, thanks in advance.
Regards,
Ran