[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overlay chain and TLS/SSL



Hi Dieter,

>> Hi all,
>>
>> I think I have  a problem with the overlay chain and tls.  We have one physical
>> master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
>> but sometimes  we can't modify  entries like passwords  to the master.  Then we
>> must restart  the slapd at the  slaves. After restarting slapd  all works fine.
>> Then slapd works fine the wholy day.  We can change entries or set passwords on
>> the slaves.  Next morning  we must  restart the slapd  again, because  we can't
>> modify entries from the  slaves. But we can query the  slapd and syncrepl works
>> fine. Only things over the overlay chains  doesn't work. I have the problem not
>> only  with Version  2.4.20. I  tested more  Versions and  actually 2.4.21  from
>> pysically hardware.
>>
>> If I can't set entries on the slave  I don't see any tcp packets from the slave
>> to the master. DNS,  time and so on looks fine and  everything else is working.
>> And if we restart slapd everything is  working. Does anybody know what is going
>> wrong and if  there exits a workaround. I read  some things abount /dev/random,
>> /dev/urandom and kernel 2.6 in VMware. Can this be the problem?
>>
>> Here the overlay chain configuration.
>>
>> <snip slapd.conf>
>> overlay                chain
>> chain-uri              "ldap://eisenherz.camelot.de/";;
>> chain-idassert-bind    bindmethod=simple
>>                        binddn="cn=ldapadmin,dc=camelot,dc=de"
>>                        credentials="xxxxxx"
>>                        mode="self"
>> chain-rebind-as-user   TRUE
>> chain-return-error     TRUE
>> chain-tls              start
>> </snip slapd.conf>
>>
>> Any help is appreciated.
>
>What version is this?
>I found that with 2.4.21 a tls_cacert option solved my problem.

I have the problem in 2.4.12, 2.4.18, 2.4.19, 2.4.20 and 2.4.21.

>chain-tls start 
>	tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem
>	tls_reqcert="demand"
>
>slapd-ldap(5) provides more TLS options.
>

I know  and I have  configured some  of them. But  the problem still  exists. I
can't see any packets on the network device  from the slave to the master. If I
restart the slave slapd then all works fine for a time.

But I will read the man page again. 

Today have  sent a mail  to the  list with two  traces. One with  a successfull
passmod and one with nonworking passmod. Here the link:

http://www.openldap.org/lists/openldap-technical/201003/msg00019.html

The differences in the traces are hdb_dn2id entries. When the passmod over the
slave is ok then I can see entries like:

bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")                          
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")                          
<= hdb_dn2id: got id=0x5                                                 
entry_decode: ""                                                         
<= entry_decode()        

or 

=> hdb_dn2id("ou=policies,dc=camelot,dc=de")                            
<= hdb_dn2id: got id=0x9                                                 
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")                 
<= hdb_dn2id: got id=0xa                                                 
entry_decode: ""                                                         
<= entry_decode()          

When the  passmod failed these entries  are not in the  trace. After restarting
the slapd I  can change passwords over  the slaves and I can  see the hdb_dn2id
entries in the trace.

Regards
Ralf Zimmermann

--

 .''`.  Ralf Zimmermann
: :' :  SIEGNETZ.IT GmbH       	     
`. `'   Schneppenkauten 1a      
  `-    57076 Siegen   		
                               
	Tel.: +49 271 68193 13
	Fax.: +49 271 68193 29

	Amtsgericht Siegen HRB4838
	Geschaeftsfuehrer: Oliver Seitz
	Sitz der Gesellschaft ist Siegen
        

Attachment: signature.asc
Description: Digital signature