On Tuesday 25 October 2005 15:41, Ran Li wrote: > Hello list, > > Having searched and read the archive but still do not get a clue for my > problem. Please see if you could provide a clue for troubleshooting. I m > trying to configure replication between hosts lda01 and lda03, (OL > 2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 replication was fine > and I can do following to prove ldaps is working (slapd starts with -h > "ldap:/// ldaps:///") > > lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w > replica -H ldaps://lda03.mydomain.com (over 636) or lda01 # ldapsearch > -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h > lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted or > not, -d7 can see tls_read:....) > > > lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w > replica -H ldaps://lda01.mydomain.com (over 636) or lda03 # ldapsearch > -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h > lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted or > not, -d7 can see tls_read:....) > > I can use ldapadmin tools to connect the servers over port 636 too, > > openssl verify on both servers says > > # openssl s_client -connect lda03.mydomain.com:636 -showcerts -state > -CAfile /usr/local/openssl/misc/var/ca/cacert.pem > ...... > Verify return code: 0 (ok) > > # openssl s_client -connect lda03.mydomain.com:636 > ...... > Verify return code: 19 (self signed certificate in certificate > chain) > > but when start the slurpd, the log complains > > [lda01 ~]# /usr/local/openldap/libexec/slurpd -f > /usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d > 1 > @(#) $OpenLDAP: slurpd 2.3.7 (Sep 7 2005 13:42:42) $ > root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd > > ldap_url_parse_ext(ldaps://lda03.mydomain.com) > Warning: saved state for 10.1.4.133:389, not a known replica > Warning: unknown replica 10.1.4.133:389 found in replication log Replica > lda03.mydomain.com:636, skip repl record for ou=test123,ou=p > rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip > repl record for ou=test123,ou=profile,o=mydomain.com (not mine) > ldap_create > ldap_url_parse_ext(ldaps://lda03.mydomain.com) > ldap_simple_bind_s > ldap_sasl_bind_s > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP lda03.mydomain.com:636 > ldap_new_socket: 8 > ldap_prepare_socket: 8 > ldap_connect_to_host: Trying 10.1.4.133:636 > ldap_connect_timeout: fd: 8 tm: -1 async: 0 > ldap_ndelay_on: 8 > Warning: unknown replica lda03.mydomain.com:0 found in replication log > ldap_is_sock_ready: 8 > ldap_ndelay_off: 8 > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 19, subject: > /C=ca/ST=ontario/L=tor onto/O=my > corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada.c > om, issuer: > /C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em > ailAddress=ran.li@sprint-canada.com > TLS certificate verification: Error, self signed certificate in > certificate chain > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_err2string > Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't > contact LDAP server > ldap_unbind > > all configuration use the same cacert.pem but > servercert.pem/serverkey.pem are different. > > on master(lda01) > slapd.conf > ... > TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 > TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem > TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem > TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem > ... > replogfile /var/log/slapd.replog > replica uri=ldaps://lda03.mydomain.com > suffix="o=mydomain.com" > binddn="cn=replica,ou=profile,o=mydomain.com" > bindmethod=simple > credentials=replica > ... > > ldap.conf These would be the pam_ldap/nss_ldap ldap.conf (by the fact that the directives are in lower case): > ... > tls_reqcert allow > tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem > tls_cacertdir /usr/local/openssl/misc/var/ca > > on slave(lda03) > slapd.conf > ... > TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 > TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem > TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem > TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem > ... > updatedn "cn=replica,ou=profile,o=mydomain.com" > updateref ldaps://lda01.mydomain.com > > slurpd over ssl is not working, however, below configuration works, not > sure if I can say slurpd over tls is working, > > on master(lda01) > slapd.conf > ... > TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 > TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem > TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem > TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem > ... > replogfile /var/log/slapd.replog > replica host=lda03.mydomain.com:389 > suffix="o=mydomain.com" > binddn="cn=replica,ou=profile,o=mydomain.com" > credentials=replica > bindmethod=simple > tls=yes > ldap.conf pam_ldap/nss_ldap > ... > tls_reqcert allow > tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem > tls_cacertdir /usr/local/openssl/misc/var/ca > > on slave(lda03) > slapd.conf > ... > TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 > TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem > TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem > TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem > ... > updatedn "cn=replica,ou=profile,o=mydomain.com" > updateref ldaps://lda01.mydomain.com > > Please comment, thanks in advance. Specify the CA cert to the ldap library, with something like this (in OpenLDAP's ldap.conf): TLS_CACERT /usr/local/openssl/misc/var/ca/cacert.pem -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpRyVV7d9cgz.pgp
Description: PGP signature