[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: slurpd over ssl, slurpd does not work, referral works

To: "Buchan Milne" <bgmilne@staff.telkomsa.net>, <openldap-software@OpenLDAP.org>
Subject: RE: slurpd over ssl, slurpd does not work, referral works
From: "Ran Li" <Ran.Li@sprint-canada.com>
Date: Wed, 26 Oct 2005 18:51:59 -0400
Content-class: urn:content-classes:message
Thread-index: AcXaVIFKTSqVsHuSRZ2vZguEWov/UwAKRiOg
Thread-topic: slurpd over ssl, slurpd does not work, referral works
Hello Buchan / all,

I was so messed up with ldap.conf, I have 3 ldap.conf (s) in the host
/etc/ldap.conf --> for pam_ldap/nss_ldap
/etc/openldap/ldap.conf --> from the openldap comes with the OS
/usr/local/openldap/etc/openldap/ldap.conf --> from the openldap 2.3.7 I
m using

correct me if I m wrong for below,

when start slurpd there is no option to specify the ldap.conf, so the
ldap.conf slurpd uses should be the one that under the --prefix, in my
case it should be /usr/local/openldap/etc/openldap/ldap.conf,

the syntax of the ldap.conf for pam_ldap/nss_ldap is different from the
one with openldap.

I have another test result that does not make much sense is I need to
specify the port number in the uri line otherwise slurpd will give me
"Replica lda03.mydomain.com:636, skip repl record for
ou=test,ou=profile,o=mydomain.com (not mine)" error and the actual
replication won't work.

 replica         uri=ldaps://lda03.mydomain.com:636
                 suffix="o=mydomain.com"
                 binddn="cn=replica,ou=profile,o=mydomain.com"
                 bindmethod=simple
                 credentials=replica

accroding to
http://www.openldap.org/lists/openldap-software/200311/msg00442.html
in slapd.conf I don't have to specify 636, use
"uri=ldaps://lda03.mydomain.com" should be fine.

please comment if have any idea in my case. Thanks.

Regards,

Ran

-----Original Message-----
From: Ran Li 
Sent: Wednesday, October 26, 2005 1:42 PM
To: 'Buchan Milne'; openldap-software@openldap.org
Subject: RE: slurpd over ssl, slurpd does not work, referral works


Hello Buchan / all,

I appreciate your comments, that is why I could not start slurpd
normally. 

After starting slurpd successfully, however, the actual replication does
not work, the referral works though. 

whenever I want to make a change, slurpd log says

Replica lda03.mydomain.com:636, skip repl record for
ou=test,ou=profile,o=mydomain.com (not mine)

when starting slurpd

......
Config: (replogfile     /var/log/slapd.replog)
Config: (replica         uri=ldaps://lda03.mydomain.com
   suffix="o=mydomain.com"
binddn="cn=replica,ou=profile,o=
mydomain.com"                bindmethod=simple
credentials=
replica)
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Config: ** successfully added replica "lda03.mydomain.com:636"
Config: ** configuration file successfully read and parsed ......


any suggestions? Thanks.

Regards,

Ran



-----Original Message-----
From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] 
Sent: Tuesday, October 25, 2005 1:27 PM
To: Ran Li
Cc: openldap-software@openldap.org
Subject: Re: slurpd over ssl not tls


On Tuesday 25 October 2005 15:41, Ran Li wrote:
> Hello list,
>
> Having searched and read the archive but still do not get a clue for
> my problem. Please see if you could provide a clue for 
> troubleshooting. I m trying to configure replication between hosts 
> lda01 and lda03, (OL 2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 
> replication was fine and I can do following to prove ldaps is working 
> (slapd starts with -h "ldap:/// ldaps:///")
>
> lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda03.mydomain.com  (over 636) or lda01 # 
> ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h 
> lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted 
> or not, -d7 can see tls_read:....)
>
>
> lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda01.mydomain.com  (over 636) or lda03 # 
> ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h 
> lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted 
> or not, -d7 can see tls_read:....)
>
> I can use ldapadmin tools to connect the servers over port 636 too,
>
> openssl verify on both servers says
>
> # openssl s_client -connect lda03.mydomain.com:636 -showcerts -state
> -CAfile /usr/local/openssl/misc/var/ca/cacert.pem
> ......
>     Verify return code: 0 (ok)
>
> # openssl s_client -connect lda03.mydomain.com:636
> ......
>     Verify return code: 19 (self signed certificate in certificate
> chain)
>
> but when start the slurpd, the log complains
>
> [lda01 ~]# /usr/local/openldap/libexec/slurpd -f
> /usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog 
> -d 1
> @(#) $OpenLDAP: slurpd 2.3.7 (Sep  7 2005 13:42:42) $
>         root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd
>
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> Warning: saved state for 10.1.4.133:389, not a known replica
> Warning: unknown replica 10.1.4.133:389 found in replication log
> Replica lda03.mydomain.com:636, skip repl record for ou=test123,ou=p 
> rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip 
> repl record for ou=test123,ou=profile,o=mydomain.com (not mine) 
> ldap_create
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP lda03.mydomain.com:636
> ldap_new_socket: 8
> ldap_prepare_socket: 8
> ldap_connect_to_host: Trying 10.1.4.133:636
> ldap_connect_timeout: fd: 8 tm: -1 async: 0
> ldap_ndelay_on: 8
> Warning: unknown replica lda03.mydomain.com:0 found in replication log
> ldap_is_sock_ready: 8
> ldap_ndelay_off: 8
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject: 
> /C=ca/ST=ontario/L=tor onto/O=my 
> corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada
> .c
> om, issuer:
>
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
> ailAddress=ran.li@sprint-canada.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
> contact LDAP server
> ldap_unbind
>
> all configuration use the same cacert.pem but
> servercert.pem/serverkey.pem are different.
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile      /var/log/slapd.replog
> replica         uri=ldaps://lda03.mydomain.com
>                 suffix="o=mydomain.com"
>                 binddn="cn=replica,ou=profile,o=mydomain.com"
>                 bindmethod=simple
>                 credentials=replica
> ...
>
> ldap.conf

These would be the pam_ldap/nss_ldap ldap.conf (by the fact that the 
directives are in lower case):

> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn        "cn=replica,ou=profile,o=mydomain.com"
> updateref       ldaps://lda01.mydomain.com
>
> slurpd over ssl is not working, however, below configuration works,
> not sure if I can say slurpd over tls is working,
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile      /var/log/slapd.replog
> replica         host=lda03.mydomain.com:389
>                 suffix="o=mydomain.com"
>                 binddn="cn=replica,ou=profile,o=mydomain.com"
>                 credentials=replica
>                 bindmethod=simple
>                 tls=yes
> ldap.conf

pam_ldap/nss_ldap

> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn        "cn=replica,ou=profile,o=mydomain.com"
> updateref       ldaps://lda01.mydomain.com
>
> Please comment, thanks in advance.


Specify the CA cert to the ldap library, with something like this (in 
OpenLDAP's ldap.conf):
TLS_CACERT /usr/local/openssl/misc/var/ca/cacert.pem

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Prev by Date: Re: Book on OpenLDAP ACLs?
Next by Date: Re: ACL problem
Index(es):
- Chronological
- Thread