[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl failing with ldap_start_tls failed (-11)



Hello,

* Summary:

I'm trying to set up syncrepl in my LDAP infrastructure. The logs on
my consumer show that syncrepl is failing to negotiate TLS when
connecting to the provider. Other LDAP commands such as ldapsearch and
sssd show no problem connecting using the same TLS configuration.

At this point, I don't have a good idea of how to continue debugging
this problem. Are there any more configuration items affecting TLS I
should be looking at? Or any way of getting more details on the TLS
nagotiation?


* The provider ("auth-00.[MYDOMAIN]"):

slapd 2.4.23 from openldap-servers-2.4.23-15.el6.x86_64 on Scientific
Linux 6. TLS is configured with

[cn=config]
olcTLSCACertificateFile: /etc/ssl/[MYCA].pem
olcTLSCertificateFile: /etc/ssl/certs/auth-00.crt.pem        # Has
CN=auth-00.[MYDOMAIN]
olcTLSCertificateKeyFile: /etc/ssl/private/auth-00.key.pem
olcTLSVerifyClient: never

If I try:
$ ldapsearch -ZZ -x -H ldap://auth-00.[MYDOMAIN]/ uid=iain
it connects and cheerfully returns objects


* The provider ("auth-01.MYDOMAIN"):

Same slapd version, same package, same OS. syncrepl configuration:

olcSyncrepl: rid=001 provider=ldap://auth-00.[MYDOMAIN]:389
bindmethod=simple timeout=0
 network-timeout=0  binddn="cn=syncrepl,dc=[MYDOMAIN]"
credentials="[MYPASSWORD]"
 keepalive=0:0:0 filter="(objectClass=*)" searchbase="dc=[MYDOMAIN]" scope=sub
 schemachecking=off type=refreshAndPersist retry="10 3 120 5 600 +"
starttls=critical
 tls_cacert=/etc/ssl/MYCA.pem


* The error

Consumer:
Jan 28 11:53:12 auth-01 slapd[5595]: slapd starting
Jan 28 11:53:12 auth-01 slapd[5595]: slap_client_connect:
URI=ldap://auth-00.[MYDOMAIN]:389 Error, ldap_start_tls failed (-11)
Jan 28 11:53:13 auth-01 slapd[5595]: do_syncrepl: rid=001 rc -11
retrying (2 retries left)

Provider receiving syncrepl connection:
Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 ACCEPT from
IP=[AUTH-01'S IP]:42669 (IP=0.0.0.0:389)
Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 STARTTLS
Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 RESULT oid= err=0 text=
Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 closed (TLS
negotiation failure)

Provider receiving ldapsearch connection:
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 ACCEPT from
IP=[AUTH-01'S IP]:42765 (IP=0.0.0.0:389)
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 STARTTLS
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 RESULT oid= err=0 text=
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 TLS established
tls_ssf=256 ssf=256
Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=1 BIND [...]


Thanks,

    Iain.

-- 
Systems Engineer
KAUST Visualisation Laboratory