[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: overlay chain and TLS/SSL
Ralf Zimmermann <r.zimmermann@siegnetz.de> writes:
> Hi all,
>
> I think I have a problem with the overlay chain and tls. We have one physical
> master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
> but sometimes we can't modify entries like passwords to the master. Then we
> must restart the slapd at the slaves. After restarting slapd all works fine.
> Then slapd works fine the wholy day. We can change entries or set passwords on
> the slaves. Next morning we must restart the slapd again, because we can't
> modify entries from the slaves. But we can query the slapd and syncrepl works
> fine. Only things over the overlay chains doesn't work. I have the problem not
> only with Version 2.4.20. I tested more Versions and actually 2.4.21 from
> pysically hardware.
>
> If I can't set entries on the slave I don't see any tcp packets from the slave
> to the master. DNS, time and so on looks fine and everything else is working.
> And if we restart slapd everything is working. Does anybody know what is going
> wrong and if there exits a workaround. I read some things abount /dev/random,
> /dev/urandom and kernel 2.6 in VMware. Can this be the problem?
>
> Here the overlay chain configuration.
>
> <snip slapd.conf>
> overlay chain
> chain-uri "ldap://eisenherz.camelot.de/";
> chain-idassert-bind bindmethod=simple
> binddn="cn=ldapadmin,dc=camelot,dc=de"
> credentials="xxxxxx"
> mode="self"
> chain-rebind-as-user TRUE
> chain-return-error TRUE
> chain-tls start
> </snip slapd.conf>
>
> Any help is appreciated.
What version is this?
I found that with 2.4.21 a tls_cacert option solved my problem.
chain-tls start
tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem
tls_reqcert="demand"
slapd-ldap(5) provides more TLS options.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E