[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
syncrepl failing with TLS negotiation failure
Hello,
I'm trying to get syncrepl working, using simple bind over TLS. TLS is
failing with
Consumer:
Oct 12 17:21:53 auth-01 slapd[23241]: slap_client_connect:
URI=ldap://auth-00.vis.kaust.edu.sa Error, ldap_start_tls failed (-11)
Oct 12 17:21:53 auth-01 slapd[23241]: do_syncrepl: rid=000 rc -11
retrying (3 retries left)
Provider:
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 ACCEPT from
IP=109.171.138.17:39458 (IP=0.0.0.0:389)
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 STARTTLS
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 RESULT oid= err=0 text=
Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 closed (TLS
negotiation failure)
TLS is working for other uses of the server including ldapsearch:
auth-01$ ldapsearch -ZZ -x -D cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa
-W -H ldap://auth-00.vis.kaust.edu.sa uid=iain
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 ACCEPT from
IP=109.171.138.17:39460 (IP=0.0.0.0:389)
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 STARTTLS
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 RESULT oid= err=0 text=
Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 TLS established
tls_ssf=256 ssf=256
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND
dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" method=128
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND
dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" mech=SIMPLE ssf=0
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 RESULT tag=97 err=0 text=
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SRCH
base="dc=vis,dc=kaust,dc=edu,dc=sa" scope=2 deref=0
filter="(uid=iain)"
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 ENTRY
dn="uid=iain,ou=people,dc=vis,dc=kaust,dc=edu,dc=sa"
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=3 UNBIND
Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 fd=137 closed
and any number of clients are cheerfully using it through
{pam,nss}_ldap and sssd.
I'm not sure where to attack this from. The TLS settings should be
identical. Any thoughts on how to proceed would be appreciated.
consumer:
$ lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: Scientific
Description: Scientific Linux release 6.1 (Carbon)
Release: 6.1
Codename: Carbon
$ rpm -q openldap-servers
openldap-servers-2.4.23-15.el6.x86_64
>From slapd.conf:
syncrepl rid=000
provider=ldap://auth-00.vis.kaust.edu.sa
searchbase=dc=vis,dc=kaust,dc=edu,dc=sa
bindmethod=simple
binddn=cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa
credentials=mysecret
type=refreshOnly
retry="10 3 120 5 600 +"
tls_cacert=/etc/ssl/VisLabCA.pem
tls_reqcert=allow
starttls=critical
provider:
$ lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 5.6 (Final)
Release: 5.6
Codename: Final
$ rpm -q openldap-servers
openldap-servers-2.3.43-12.el5_5.3
Iain.
--
Systems Engineer
KAUST Visualisation Laboratory