[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP syncrepl over SSL

To: Tony Davis <tony@specialistdevelopment.com>
Subject: Re: OpenLDAP syncrepl over SSL
From: Patrick Lists <openldap-list@puzzled.xs4all.nl>
Date: Wed, 31 Jul 2013 15:28:09 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <51166443-C955-4807-9F48-3DBE1E68075D@specialistdevelopment.com>
References: <51166443-C955-4807-9F48-3DBE1E68075D@specialistdevelopment.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7

On 07/31/2013 12:36 PM, Tony Davis wrote:

Hi,

I wonder if anyone can help me with a question I have regarding an
openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.

I am trying to setup replication, I have set this up using the simple
bind method, which stores a password for the replication in the config.
(This works) but I wondered if there was a way to have this replication
take place using ssl certificates without the need to store the unhashed
password in the slapd.conf? Is this possible? or do I still have to
specify a replication user and pass, but all the auth takes place over ssl?

This is my current config for replication:

    syncrepl rid=001
             provider=ldap://master01.tld
             type=refreshAndPersist
             interval=00:00:05:00
             retry="5 5 300 +"
             searchbase="dc=tld"
             attrs="*,+"
             bindmethod=sasl
             saslmech=EXTERNAL
             tls_cert=/etc/master02.tld.pem
             tls_key=/etc/master02.tld.key
             tls_cacert=/etc/openldap/cacerts/ca.pem
             tls_reqcert=demand
             starttls=yes

             mirrormode on
             updateref ldap://master01.tld


but in the replication log i get the following:

    Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001
    ldap_sasl_interactive_bind_s failed (7)
    Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying
    (3 retries left)
    Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor
    Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:

I'm struggling with a similar problem (see message "N-Way Multi-MasterTLS problem" from a few hours ago) so I'm afraid I don't have an answerfor you. This FAQ entry might help:


http://www.openldap.org/faq/data/cache/1504.html

One tip: usually the developers/experienced folks on this list willadvise you to upgrade your OpenLDAP version to the latest version usingpackages available from http://ltb-project.org or build the latestOpenLDAP from source against OpenSSL (not gnuTLS). Between 2.3.43 andthe latest 2.4.35 version many syncrepl bugs have been fixed so maybestart with that.

If you find a solution I would appreciate it if you could update thethread. It might provide a pointer how to solve my problem.


Regards,
Patrick

References:
- OpenLDAP syncrepl over SSL
  - From: Tony Davis <tony@specialistdevelopment.com>

Prev by Date: OpenLDAP syncrepl over SSL
Next by Date: Re: OpenLDAP syncrepl over SSL
Index(es):
- Chronological
- Thread