[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL replication deadlocks slapd



Definitely not an entropy problem. I see "ACCEPT" in the logs, but nothing else.

I hadn't realized RedHat was so damn behind. I'm going to generate a custom package with the latest version and see if the problem goes away.


On Wed, Sep 25, 2013 at 2:21 PM, Dan White <dwhite@olp.net> wrote:
On 09/25/13 13:43 -0700, Chad Scott wrote:
I'm having a lot of trouble with replication when using SSL. If I configure
everything exactly the same without SSL, it works flawlessly. The instant I
try to encrypt traffic, one or both servers will deadlock, even after
restart.

Does slapd still respond? If so, verify that your entropy is not being
depleted for your ssl connections. I believe by default openssl uses
/dev/random which can block. Check /proc/sys/kernel/random/entropy_avail.


I'm configuring according to the instructions at
http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master,
except using ldaps:// instead of ldap://.

In cn=config, I've setup:
olcTLSCACertificateFile: /etc/openldap/certs/Operations_CA_Certificate.pem
olcTLSCertificateFile: /etc/openldap/certs/ldap.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key

I've also tried using STARTTLS over ldap:// and it seems to make no
difference.

Permissions are right and I can connect via SSL from clients without issue.

I'm completely stumped as to what might be going on. Has anyone seen this
before?

This is running on Scientific Linux 6 with the following packages:
openldap-2.4.23-32.el6_4.x86_64
openldap-clients-2.4.23-32.el6_4.x86_64
openldap-servers-2.4.23-32.el6_4.x86_64

--
Dan White