Hi,
I installed Openldap 2.4.11-1 on two Debian Lenny servers (srv3, srv4), in mastrer-slave configuration. I wanted to create secure connection for syncrepl.
srv3 is the master (provider) and srv4 is the slave (consumer). While I didn't use secure connection, the ldapsearch, and syncrepl worked. After I set up secure connection, syncrepl didn't work.
I start slapd with -h ldap://
127.0.0.1/ ldaps:/// on both servers.
ldapsearch partially works:
Works from srv3:
ldapsearch -H ldaps://srv3.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldaps://srv4.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://
127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
Works from srv4:
ldapsearch -H ldaps://srv4.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://
127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
_Doesn't_work_from_srv4_:
ldapsearch -H ldaps://srv3.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
Enter LDAP Password: *
(after i give the password, it waits 1-2 seconds)*
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On srv3:
/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/cacert.pem
slapd.conf:
#########################################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel conns stats filter
idletimeout 30
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov
sizelimit unlimited
tool-threads 1
TLSCertificateFile /etc/ssl/certs/srv3cert.pem
TLSCertificateKeyFile /etc/ssl/private/srv3key.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient never
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
database hdb
suffix "dc=mydomain,dc=site"
rootdn "cn=adm,dc=mydomain,dc=site"
rootpw {SSHA}.......
directory "/var/lib/ldap"
dbconfig set_cachesize 0 100000000 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 524288
dbconfig set_lg_dir /var/lib/ldap/log
dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index sambaSIDList eq
index sambaGroupType eq
index entryCSN,entryUUID eq
lastmod on
checkpoint 512 30
access to *
by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read
by * break
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by self write
by * read
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
On srv4:
/etc/ldap/ldap.conf:
host 127.0.0.1
logdir /var/lib/ldap/log
TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/cacert.pem
Thanks,
Tamas.