mmhhh..
In summary :
I manage to set up servers so that usual clients can use TLS
to connect to the server (ldapsearch with -ZZ works)
I manage to set up ONE ldap server to syncrepl on another one
using saslmech = external and verifying the provider certificate.
I CAN'T manage to set up two ldap server to syncrepl on each
others (N-WAY) using saslmech = external and I get very strange
outputs depending when the syncronisation happens (sounds
different when both queries and responses overlap or not)
Not sure this new one I got could help :
@(#) $OpenLDAP: slapd 2.4.23 (Sep 20 2011 08:28:48) $
mockbuild@x86-006.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapd starting
slap_client_connect: URI=ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-1)
slap_client_connect: URI=ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-1)
do_syncrepl: rid=211 rc -1 retrying
slap_client_connect: URI=ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-1)
slap_client_connect: URI=ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-1)
do_syncrepl: rid=211 rc -1 retrying
TLS: could not read certificate file AWïïIïïAVAUATUHïïSHïï8� - error
-5950:File not found.
TLS: AWïïIïïAVAUATUHïïSHïï8� is not a valid CA certificate file -
error -5950:File not found.
TLS: could not get info about the CA certificate directory
Hïl$ïHïïHï\$ïHïïXHïï�Hïï1ïïïcïïHïïHïï1ïï� - error -5950:File not
found.
TLS: did not find any valid CA certificates in
Hïl$ïHïïHï\$ïHïïXHïï�Hïï1ïïïcïïHïïHïï1ïï� or AWïïIïïAVAUATUHïïSHïï8�
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error
-5950:File not found
TLS: can't create ssl handle.
slap_client_connect: URI=ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=211 rc -6 retrying
TLS: error: could not initialize moznss security context - error
-5925:The one-time function was previously called and failed. Its
error code is no longer available
TLS: can't create ssl handle.
slap_client_connect: URI=ldap://ldap1.example.fr Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap1.example.fr
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=211 rc -6 retrying
slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
When I don't change anything on the config on that one that have output this,
but changing only the config to the other one to only be a provider
(or vice versa),
then I get no error ??
On Tue, Oct 11, 2011 at 11:10 AM, Olivier<ldap@guillard.nom.fr> wrote:
I now have a new issue with TLS : certificate files are even not red and
presented to the server anymore.
I have this on server ldap2 :
syncrepl rid=211
provider=ldap://ldap1.example.fr:389
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:00:05
retry="10 +"
bindmethod=sasl
saslmech=external
authcid="cn=replicator,ou=system,dc=example,dc=fr"
authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
tls_cacert=/etc/openldap/cacerts/CA.crt
tls_cert=/etc/openldap/cacerts/syncrepl.crt
tls_key=/etc/openldap/cacerts/syncrepl.key
tls_reqcert=demand
I get this as error : "ldap_sasl_interactive_bind_s failed (-6)"
and if I launch slapd through strace I see that
/etc/openldap/cacerts/syncrepl.crt
is never opened (then never presented to the server).
Note that on the server I have configured :
TLSVerifyClient demand
To be sure that the server ask for the certificate.
What have I forgotten ? Please help me to diag where is the problem.