[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sync Replication via TLS/SSL - get bind err
RUMI Szabolcs <rumi_ml@rtfm.hu> writes:
> Hello!
>
> On Thu, 20 Dec 2007 11:03:44 -0500
> "Chris G. Sellers" <chris.sellers@nitle.org> wrote:
>
>> I have setup sync replication on two OpenLDAP servers. I have it
>> successfully working via ldap://:389
>>
>> I then setup TLS for SSL connections. I used a self signed cert
>> (using the OpenLDAP how-to) as well as a CAsigned cert from
>> cacert.org. I've setup the ca.crt in the ldap.conf file on both
>> the master and slave. I've also setup the ca.cert in the TLS for
>> the master server that the sync repl host connects to.
>>
>> I've tested the cert with a connection via ldap -Z and -d debug
>> option and seen that the cert appears to be validated.
>>
>> So, when I turn on ldaps:// for the syncrepl section of the slave
>> server, and use port 389 I get a bind error
ldaps:// is a server initiated tls session, while starttls on ldap://
is a client initiated tls session.
Don't forget that syncrepl is a client connection to the server.
[...]
>> which suggests that the connection could not be made on port 389 via
>> TLS. I can't figure out how to tell the repl connection to send a
>> certificate. Do I have to setup a user in LDAP with a cert? Do I
>> put a client cert into the syncrepl section of the slapd.conf file
>> on the slave? Please advise.
as already mentioned, syncrepl is a client operation, thus
ldap.conf(5) would be applicable, but slapd.conf(5) has in addition
configuration parameters, just search for syncrepl.
> Indeed, I have also found that in the OpenLDAP documentation there
> are no directions about what kind of cert should be used for a syncrepl
> consumer, nor about how they could be specified - one may guess that
> one has to use the tls-related suboptions of the syncrepl option but
> there are no directions, no examples, no nothing. And then it does not
> work in the first place and does not have usable log or even debug
> output either...
read the docs carefully! And think twice!
[...]
> When I set up normal SSL with provider="ldaps://<host>:636" then I
> simply get the same error you're getting and even with debug mode
> I could not get any details about the TLS/SSL handshake or what
> exactly the problem is.
First test with openssl tools, like s_client(1).
> IMHO it is extremely harsh how the self-signed certs are treated by
> OpenLDAP. In the majority of cases this is forcing people (after many
> hours of struggling) to use "TLS_REQCERT never" or similar settings,
> which ends up being a lot more insecure than it would be to accept a
> known self-signed cert... Not to mention that the syncrepl suboption
> "tls_reqcert=never" is apparently ignored so practically I've found
> that syncrepl is currently inoperable with any form of encryption.
> Is there anybody who could tell me what this is good for?
I do understand your frustration, but that is mostly due to not
reading the proper documentation. Forget about google, the only
relevant source of information is:
http://www.openssl.org/docs/
I have no problems creating a valid certificate chain with the openssl
tools, just modify openssl.cnf to your requirements:
./CA.pl -newca
./Ca.pl -newreq
./CA.pl -sign
openssl rsa -in newreq.pem -out mykey.pem
mv newcert.pem mycert.pem
./CA.pl -verify mycert.pem
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6