[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slurpd over ssl, slurpd does not work, referral works
Hello Buchan / all,
I was so messed up with ldap.conf, I have 3 ldap.conf (s) in the host
/etc/ldap.conf --> for pam_ldap/nss_ldap
/etc/openldap/ldap.conf --> from the openldap comes with the OS
/usr/local/openldap/etc/openldap/ldap.conf --> from the openldap 2.3.7 I
m using
correct me if I m wrong for below,
when start slurpd there is no option to specify the ldap.conf, so the
ldap.conf slurpd uses should be the one that under the --prefix, in my
case it should be /usr/local/openldap/etc/openldap/ldap.conf,
the syntax of the ldap.conf for pam_ldap/nss_ldap is different from the
one with openldap.
I have another test result that does not make much sense is I need to
specify the port number in the uri line otherwise slurpd will give me
"Replica lda03.mydomain.com:636, skip repl record for
ou=test,ou=profile,o=mydomain.com (not mine)" error and the actual
replication won't work.
replica uri=ldaps://lda03.mydomain.com:636
suffix="o=mydomain.com"
binddn="cn=replica,ou=profile,o=mydomain.com"
bindmethod=simple
credentials=replica
accroding to
http://www.openldap.org/lists/openldap-software/200311/msg00442.html
in slapd.conf I don't have to specify 636, use
"uri=ldaps://lda03.mydomain.com" should be fine.
please comment if have any idea in my case. Thanks.
Regards,
Ran
-----Original Message-----
From: Ran Li
Sent: Wednesday, October 26, 2005 1:42 PM
To: 'Buchan Milne'; openldap-software@openldap.org
Subject: RE: slurpd over ssl, slurpd does not work, referral works
Hello Buchan / all,
I appreciate your comments, that is why I could not start slurpd
normally.
After starting slurpd successfully, however, the actual replication does
not work, the referral works though.
whenever I want to make a change, slurpd log says
Replica lda03.mydomain.com:636, skip repl record for
ou=test,ou=profile,o=mydomain.com (not mine)
when starting slurpd
......
Config: (replogfile /var/log/slapd.replog)
Config: (replica uri=ldaps://lda03.mydomain.com
suffix="o=mydomain.com"
binddn="cn=replica,ou=profile,o=
mydomain.com" bindmethod=simple
credentials=
replica)
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Config: ** successfully added replica "lda03.mydomain.com:636"
Config: ** configuration file successfully read and parsed ......
any suggestions? Thanks.
Regards,
Ran
-----Original Message-----
From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
Sent: Tuesday, October 25, 2005 1:27 PM
To: Ran Li
Cc: openldap-software@openldap.org
Subject: Re: slurpd over ssl not tls
On Tuesday 25 October 2005 15:41, Ran Li wrote:
> Hello list,
>
> Having searched and read the archive but still do not get a clue for
> my problem. Please see if you could provide a clue for
> troubleshooting. I m trying to configure replication between hosts
> lda01 and lda03, (OL 2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389
> replication was fine and I can do following to prove ldaps is working
> (slapd starts with -h "ldap:/// ldaps:///")
>
> lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda03.mydomain.com (over 636) or lda01 #
> ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
> lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted
> or not, -d7 can see tls_read:....)
>
>
> lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda01.mydomain.com (over 636) or lda03 #
> ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
> lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted
> or not, -d7 can see tls_read:....)
>
> I can use ldapadmin tools to connect the servers over port 636 too,
>
> openssl verify on both servers says
>
> # openssl s_client -connect lda03.mydomain.com:636 -showcerts -state
> -CAfile /usr/local/openssl/misc/var/ca/cacert.pem
> ......
> Verify return code: 0 (ok)
>
> # openssl s_client -connect lda03.mydomain.com:636
> ......
> Verify return code: 19 (self signed certificate in certificate
> chain)
>
> but when start the slurpd, the log complains
>
> [lda01 ~]# /usr/local/openldap/libexec/slurpd -f
> /usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog
> -d 1
> @(#) $OpenLDAP: slurpd 2.3.7 (Sep 7 2005 13:42:42) $
> root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd
>
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> Warning: saved state for 10.1.4.133:389, not a known replica
> Warning: unknown replica 10.1.4.133:389 found in replication log
> Replica lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
> rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip
> repl record for ou=test123,ou=profile,o=mydomain.com (not mine)
> ldap_create
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP lda03.mydomain.com:636
> ldap_new_socket: 8
> ldap_prepare_socket: 8
> ldap_connect_to_host: Trying 10.1.4.133:636
> ldap_connect_timeout: fd: 8 tm: -1 async: 0
> ldap_ndelay_on: 8
> Warning: unknown replica lda03.mydomain.com:0 found in replication log
> ldap_is_sock_ready: 8
> ldap_ndelay_off: 8
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=ca/ST=ontario/L=tor onto/O=my
> corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada
> .c
> om, issuer:
>
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
> ailAddress=ran.li@sprint-canada.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
> contact LDAP server
> ldap_unbind
>
> all configuration use the same cacert.pem but
> servercert.pem/serverkey.pem are different.
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile /var/log/slapd.replog
> replica uri=ldaps://lda03.mydomain.com
> suffix="o=mydomain.com"
> binddn="cn=replica,ou=profile,o=mydomain.com"
> bindmethod=simple
> credentials=replica
> ...
>
> ldap.conf
These would be the pam_ldap/nss_ldap ldap.conf (by the fact that the
directives are in lower case):
> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn "cn=replica,ou=profile,o=mydomain.com"
> updateref ldaps://lda01.mydomain.com
>
> slurpd over ssl is not working, however, below configuration works,
> not sure if I can say slurpd over tls is working,
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile /var/log/slapd.replog
> replica host=lda03.mydomain.com:389
> suffix="o=mydomain.com"
> binddn="cn=replica,ou=profile,o=mydomain.com"
> credentials=replica
> bindmethod=simple
> tls=yes
> ldap.conf
pam_ldap/nss_ldap
> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn "cn=replica,ou=profile,o=mydomain.com"
> updateref ldaps://lda01.mydomain.com
>
> Please comment, thanks in advance.
Specify the CA cert to the ldap library, with something like this (in
OpenLDAP's ldap.conf):
TLS_CACERT /usr/local/openssl/misc/var/ca/cacert.pem
--
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)