[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
seg fault with TLS syncrepl ?
My N-WAY replication works properly with a
"bindmethod=simple".
However, I don't like keeping a password in clear in
a configuration file, then I tryed this :
On server "ldap-master1.example.fr" :
TLSVerifyClient allow
syncrepl rid=101
provider=ldap://ldap-master2.example.fr:389
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:01:00
retry="10 +"
bindmethod=sasl
saslmech=EXTERNAL
starttls=critical
tls_cert=/etc/openldap/cacerts/master1/server.crt
tls_key=/etc/openldap/cacerts/master1/server.key
tls_cacert=/etc/openldap/cacerts/CA.crt
tls_reqcert=demand
On server "ldap-master2.example.fr" :
TLSVerifyClient allow
syncrepl rid=201
provider=ldap://ldap-master1.example.fr:389
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:01:00
retry="10 +"
bindmethod=sasl
saslmech=EXTERNAL
starttls=critical
tls_cert=/etc/openldap/cacerts/master2/server.crt
tls_key=/etc/openldap/cacerts/master2/server.key
tls_cacert=/etc/openldap/cacerts/CA.crt
I get a segmentation fault :
ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
<= bdb_inequality_candidates: (entryCSN) not indexed
slapd starting
slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
ldap_start_tls failed (-1)
do_syncrepl: rid=101 rc -1 retrying
conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
conn=1000 op=1 BIND dn="" method=163
conn=1000 op=1 BIND
authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
conn=1000 op=1 BIND
dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
mech=EXTERNAL sasl_ssf=0 ssf=256
conn=1000 op=1 RESULT tag=97 err=0 text=
conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
filter="(objectClass=*)"
conn=1000 op=2 SRCH attr=* +
conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1000 op=3 UNBIND
conn=1000 fd=12 closed
Erreur de segmentation
The segfault happened when the second server tried to sync with the first one :
[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapd starting
conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
conn=1000 fd=12 closed (TLS negotiation failure)
^C
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.
Any idea ?
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
produce the seg fault.
---
Olivier