[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with SASL External

Hi Angela,

just got SASL EXTERNAL to work with syncrepl today. I am not sure,
if .ldaprc and others play role here. Consumer ldap server should have a
certificate, which you configure in your slapd.conf (man slapd.conf) or
otherwise in config backend. If I am not confusing anything you should
have set

TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile

What's happening with you is that you most probably use self-signed
certificate. It is not good. I would suggest you to setup your own CA
and issue certificates to both consumer and provider.

best regards, vadim tarassov

On Mon, 2007-03-05 at 12:32 +0100, Angela Gavazzi wrote:
> Am Samstag, 3. MÃrz 2007 00:04 schrieb Pierangelo Masarati:
> 
> > Dieter Kluenter wrote:
> 
> > > Hi,
> 
> > >
> 
> > > Angela Gavazzi <edv@goetheanum.ch> writes:
> 
> > >> Hallo!
> 
> > >>
> 
> > >> I'm trying to set up a replication with syncrepl and saslmech
> external
> 
> > >> and it wont succeed.
> 
> > >> I was reading a lot but I really don't see where the problem is
> now and
> 
> > >> don't know how to continue. So I really would appreciate if
> somebody
> 
> > >> could point me to the probable error.
> 
> > >> Please let me know if you need more infos.
> 
> > >
> 
> > > [...]
> 
> > >
> 
> > >> *****************************************************************
> 
> > >> slave:
> 
> > >>
> 
> > >> ...
> 
> > >> overlay syncprov
> 
> > >> syncrepl rid=001
> 
> > >> provider=ldap://erde.aag:389
> 
> > >> searchbase="dc=aag"
> 
> > >> type=refreshOnly
> 
> > >> filter="objectClass=*"
> 
> > >> attrs="*,+"
> 
> > >> schemachecking=off
> 
> > >> scope=sub
> 
> > >> interval=00:00:01:00
> 
> > >> updatedn "cn=repl,dc=aag"
> 
> > >> updateref="ldap://erde.aag:389";
> 
> > >> bindmethod=sasl
> 
> > >> saslmech=EXTERNAL
> 
> Hi, first I updated to 2.3.32 as Quanah wrote.
> 
> > > Is the relevant ldaprc pointing to the certificate?
> 
> ... from man
> 
> Users may create an optional configuration file, ldaprc or .ldaprc, in
> their home directory which will be used to override the system-wide
> defaults file.
> 
> The file ldaprc in the current working directory is also used.
> 
> So I thought that ldap.conf is enough.
> 
> Apologize the question:
> 
> Where should ldaprc/.ldaprc be, if the ldapuser has no shell?
> 
> Or what's the current working directory from openldap?
> 
> The homedir from ldapuser is /usr/local/ldap. I put the ldaprc
> therein, I tried also /etc/ldap and tried to start slapd with -r / -
> only for testing - and put it in there, but it makes no difference. 
> 
> That's my ldap.conf
> 
> BASE dc=aag
> 
> URI ldap://erde.aag:389
> 
> TLS_CACERT /etc/ldap/certs/cacert.pem
> 
> TLS_CERT /etc/ldap/certs/mond.aag_cert.pem
> 
> TLS_KEY /etc/ldap/certs/mond.aag_key.pem
> 
> > >
> 
> > >> authz-regexp
> 
> > >> "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische
> 
> > >>
> Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch"
> 
> > >> "ldap:///dc=aag??one? (cn=repl)"
> 
> > >
> 
> > > What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?
> 
> ldapwhoami -Yexternal -ZZ ldap://mond.aag
> 
> SASL/EXTERNAL authentication started
> 
> SASL username:
> emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine
> Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH
> 
> SASL SSF: 0
> 
> dn:email=edv@goetheanum.ch,cn=mond.aag,ou=goetheanum,o=allgemeine
> anthroposophische gesellschaft,l=dornach,st=switzerland,c=ch
> 
> Result: Success (0)
> 
> >
> 
> > If the above works, I think you'll need to add
> 
> >
> 
> > starttls=critical
> 
> I did it and got this now:
> 
> TLS certificate verification: depth: 0, err: 18,
> subject: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische
> Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch,
> issuer: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische
> Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch
> 
> TLS certificate verification: Error, self signed certificate
> 
> tls_write: want=7, written=7
> 
> 0000: 15 03 01 00 02 02 30 ......0
> 
> TLS trace: SSL3 alert write:fatal:unknown CA
> 
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> 
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> 
> TLS: can't connect.
> 
> Error: rid 001 ldap_start_tls failed (-11)
> 
> So I understand that openldap doesn't recognize the CA, but at the
> moment I don't know how to solve this.
> 
> It makes no difference if I start slapd as root, even if my ldapsearch
> as root works. I'm sure all cert and key files are accessible by the
> ldapuser.
> 
> Thank's to all
> 
> Angela
> 
> > to your syncrepl configuration, and make sure TLS is configured OK
> both
> 
> > in the producer (see slapd.conf(5)) and in the consumer (see
> 
> > ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the
> 
> > user-specific ldap.conf(5), 
> 
> see below*
> 
> > and that TLS_REQCERT in the consumer's ldap.conf(5)
> 
> TLS_REQCERT require
> 
> > and TLSVerifyClient in the producer's slapd.conf(5) are set 
> 
> TLSVerifyClient demand
> 
> > to something like "demand", so that certificates are checked for
> sure by
> 
> > both peers.
> 
> >
> 
> > p.
> 
> >
> 
> >
> 
> >
> 
> > Ing. Pierangelo Masarati
> 
> > OpenLDAP Core Team
> 
> >
> 
> > SysNet s.n.c.
> 
> > Via Dossi, 8 - 27100 Pavia - ITALIA
> 
> > http://www.sys-net.it
> 
> > ------------------------------------------
> 
> > Office: +39.02.23998309
> 
> > Mobile: +39.333.4963172
> 
> > Email: pierangelo.masarati@sys-net.it
> 
> > ------------------------------------------
>