Unable to use TLS in a 2-WayMaster/MirrorMode Setup

[Thomas Macaigne <t.macaigne@beware.fr>]

Title: Unable to use TLS in a 2-WayMaster/MirrorMode Setup

Hi,

It's been a few days I'm trying to replicate my actual LDAP server on a new one.

@(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $

buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd

and

@(#) $OpenLDAP: slapd  (Oct 17 2012 19:48:41) $

buildd@komainu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd

for the replica.

The replication part works great, but whenever I try to use TLS it fails.
Here is how I proceed:

- Genereate the certs (tried with CA.sh, CA.pl, certtools) 

    -> I use the servers fqdn as CN (hostname --fqdn gives the right output)

- Copy files to /etc/ldap/ssl

- chmod 660 them and chown openldap:openldap

An ouput of slapcat can be found here: http://paste.ubuntu.com/5638646/ 

When I try to check if TLS is working by using -ZZ of ldapsearch:

ie: ldapsearch -xLLL -b dc=beware,dc=fr -D cn=admin,dc=beware,dc=fr -w motdepasse -H ldap://master.beware.fr/ -ZZ 

I get no error.

The errors I get are:

May  6 16:14:20 master slapd[1057]: slapd starting

May  6 16:14:23 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr/ DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1)

May  6 16:14:23 master slapd[1057]: do_syncrepl: rid=002 rc -1 retrying (4 retries left)

May  6 16:14:23 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr Warning, ldap_start_tls failed (-1)

May  6 16:14:26 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr DN="cn=admin,dc=beware,dc=fr" ldap_sasl_bind_s failed (-1)

May  6 16:14:26 master slapd[1057]: do

(on the slave)

e.fr Error, ldap_start_tls failed (-1)

May  6 16:14:55 slave slapd[1278]: do_syncrepl: rid=003 rc -1 retrying (4 retries left)

May  6 16:15:00 slave slapd[1278]: slap_client_connect: URI=ldap://master.beware.fr/ DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1)

May  6 16:15:00 slave slapd[1278]: do_syncrepl: rid=001 rc -1 retrying (3 retries left)

May  6 16:15:00 slave slapd[1278]: slap_client_connect: URI=ldap://master.beware.fr Error, ldap_start_tls failed (-1)

May  6 16:15:00 slave slapd[1278]: do_syncrepl: rid=003 rc -1 retrying (3 retries left)

output of slapd -d 16383

5187bb09 slap_client_connect: URI=ldap://master.beware.fr Error, ldap_start_tls failed (-1)

5187bb09 daemon: activity on 1 descriptor

5187bb09 daemon: activity on:5187bb09 

5187bb09 daemon: epoll: listen=7 active_threads=0 tvp=zero

5187bb09 daemon: epoll: listen=8 active_threads=0 tvp=zero

5187bb09 do_syncrepl: rid=003 rc -1 retrying (3 retries left)

Regards,