[Date Prev][Date Next] [Chronological] [Thread] [Top]

slurpd over ssl not tls



Hello list,

Having searched and read the archive but still do not get a clue for my
problem. Please see if you could provide a clue for troubleshooting. I m
trying to configure replication between hosts lda01 and lda03, (OL
2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 replication was fine
and I can do following to prove ldaps is working (slapd starts with -h
"ldap:/// ldaps:///")

lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda03.mydomain.com  (over 636) or lda01 # ldapsearch
-x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted or
not, -d7 can see tls_read:....)


lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda01.mydomain.com  (over 636) or lda03 # ldapsearch
-x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted or
not, -d7 can see tls_read:....) 

I can use ldapadmin tools to connect the servers over port 636 too,

openssl verify on both servers says

# openssl s_client -connect lda03.mydomain.com:636 -showcerts -state
-CAfile /usr/local/openssl/misc/var/ca/cacert.pem
......
    Verify return code: 0 (ok)

# openssl s_client -connect lda03.mydomain.com:636
......
    Verify return code: 19 (self signed certificate in certificate
chain)

but when start the slurpd, the log complains

[lda01 ~]# /usr/local/openldap/libexec/slurpd -f
/usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d
1
@(#) $OpenLDAP: slurpd 2.3.7 (Sep  7 2005 13:42:42) $
        root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd

ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Warning: saved state for 10.1.4.133:389, not a known replica
Warning: unknown replica 10.1.4.133:389 found in replication log Replica
lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip
repl record for ou=test123,ou=profile,o=mydomain.com (not mine)
ldap_create
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP lda03.mydomain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.1.4.133:636
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
Warning: unknown replica lda03.mydomain.com:0 found in replication log
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=ca/ST=ontario/L=tor onto/O=my
corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada.c
om, issuer:
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
ailAddress=ran.li@sprint-canada.com
TLS certificate verification: Error, self signed certificate in
certificate chain 
TLS trace: SSL3 alert write:fatal:unknown CA 
TLS trace: SSL_connect:error in SSLv3 read server certificate B 
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
contact LDAP server 
ldap_unbind

all configuration use the same cacert.pem but
servercert.pem/serverkey.pem are different.

on master(lda01)
slapd.conf 
...
TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
... 
replogfile      /var/log/slapd.replog
replica         uri=ldaps://lda03.mydomain.com
                suffix="o=mydomain.com"
                binddn="cn=replica,ou=profile,o=mydomain.com"
                bindmethod=simple
                credentials=replica
...

ldap.conf 
...
tls_reqcert allow
tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
tls_cacertdir /usr/local/openssl/misc/var/ca

on slave(lda03)
slapd.conf
...
TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
... 
updatedn        "cn=replica,ou=profile,o=mydomain.com"
updateref       ldaps://lda01.mydomain.com

slurpd over ssl is not working, however, below configuration works, not
sure if I can say slurpd over tls is working,

on master(lda01)
slapd.conf 
...
TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
... 
replogfile      /var/log/slapd.replog
replica         host=lda03.mydomain.com:389
                suffix="o=mydomain.com"
                binddn="cn=replica,ou=profile,o=mydomain.com"
                credentials=replica
                bindmethod=simple
                tls=yes
ldap.conf 
...
tls_reqcert allow
tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
tls_cacertdir /usr/local/openssl/misc/var/ca

on slave(lda03)
slapd.conf
...
TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
... 
updatedn        "cn=replica,ou=profile,o=mydomain.com"
updateref       ldaps://lda01.mydomain.com
 
Please comment, thanks in advance.

Regards,

Ran