[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Syncrepl TLS woes
- To: openldap-technical@openldap.org
- Subject: Re: Syncrepl TLS woes
- From: Dieter Klünter <dieter@dkluenter.de>
- Date: Mon, 28 Mar 2016 14:41:45 +0200
- In-reply-to: <CAOdJ4eO_g8rhPi=YnBHZ6sgJpPo266B4jy76pi983D47+3aCcQ@mail.gmail.com>
- Organization: AVCI
- References: <CAOdJ4eO_g8rhPi=YnBHZ6sgJpPo266B4jy76pi983D47+3aCcQ@mail.gmail.com>
Am Sun, 27 Mar 2016 19:15:20 -0400
schrieb Xavier Landreville <xavier@openconcept.ca>:
> Hello,
>
> I am currently in the grips of trying to get syncrepl replication
> working with StartTLS. It was working fine until recently. The only
> change that occurred over the last 12 months (that relates to
> OpenLDAP) is that I've started requiring TLS for connections.
>
> My provider is running OpenLDAP 2.4.31 on Ubuntu 14.04, while one
> consumer is running the exact same version on a Ubuntu 14.04 machine
> and the other consumer is running OpenLDAP 2.4.28 on Ubuntu 12.04.
>
> The provider has, AFAIK, a correct TLS configuration, given that I can
> connect and search using the ldapsearch -ZZ utility from any of the
> servers.
>
> The syncprov overlay is loaded and configured on the provider.
>
> The consumers have the following (redacted, with unique rid values)
> olcSyncRepl:
>
> olcSyncrepl: {0}rid=1 provider=ldap://[LDAP_DNS] bindmethod=simple bi
> nddn="[SYNC_USER]" credentials=[SYNC_PASS] searchbase="[L
> DAP_BASE]" logbase="cn=accesslog" logfilter="(&(objectClass=auditWr
> iteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist
> retry="60
> +" syncdata=accesslog starttls=critical tls_reqcert=demand
>
> Unfortunately, on both consumers can't seem to be able to actually
> start the TLS connection:
>
> slapd[1257]: slap_client_connect: URI=ldap://[LDAP_DNS] Error,
> ldap_start_tls failed (-11)
> slapd[1257]: do_syncrepl: rid=001 rc -11 retrying
>
> And the provider shows the following errors:
>
> slapd[2126]: conn=1586 fd=100 ACCEPT from IP=[CONSUMER_IP]:35500
> (IP=0.0.0.0:389)
> slapd[2126]: conn=1586 op=0 EXT oid=1.3.6.1.4.1.1466.20037
> slapd[2126]: conn=1586 op=0 STARTTLS
> slapd[2126]: conn=1586 op=0 RESULT oid= err=0 text=
> slapd[2126]: conn=1586 fd=100 closed (TLS negotiation failure)
>
> Is there anything that I'm missing?
Yes, you need to configure path to CA cert.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E