Full_Name: Version: 2.4.20 OS: RHEL 6.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (121.245.72.156)
Hi List
While configuring openldap replication with ssl. I am getting below log messages
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol. conn=1069 fd=15 closed (TLS negotiation failure) slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=777 rc -1 retrying slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=444 rc -1 retrying conn=1070 fd=15 ACCEPT from IP=10.242.151.17:44531 (IP=0.0.0.0:636) TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol. conn=1070 fd=15 closed (TLS negotiation failure) slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=777 rc -1 retrying slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=444 rc -1 retrying conn=1071 fd=15 ACCEPT from IP=10.242.151.17:44533 (IP=0.0.0.0:636) TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol. conn=1071 fd=15 closed (TLS negotiation failure) slap_client_connect: URI=ldap://10.242.151.17:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.242.151.17:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=777 rc -1 retrying slap_client_connect: URI=ldap://10.243.129.6:636 Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://10.243.129.6:636 DN="cn=manager,dc=idm,dc=com" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=444 rc -1 retrying
i am using self singed certificates.
when i do search
# ldapsearch -d 1 -x -b "dc=ibm,dc=com" -H 'ldaps://10.xx.xx.x' -ZZ ldap_url_parse_ext(ldaps://10.xx.xx.x) ldap_create ldap_url_parse_ext(ldaps://10.xx.xx.x:636/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.xx.xx.x:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.xx.xx.x:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com, issuer: /C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com TLS certificate verification: Error, self signed certificate TLS certificate verification: depth: 0, err: 18, subject: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar178@sapient.com, issuer: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A TLS: unable to get peer certificate. ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1942aa0 msgid 1 wait4msg ld 0x1942aa0 msgid 1 (infinite timeout) wait4msg continue ld 0x1942aa0 msgid 1 all 1 ** ld 0x1942aa0 Connections: * host: 10.243.129.6 port: 636 (default) refcnt: 2 status: Connected last used: Thu Nov 15 11:58:52 2012
** ld 0x1942aa0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1942aa0 request count 1 (abandoned 0) ** ld 0x1942aa0 Response Queue: Empty ld 0x1942aa0 response count 0 ldap_chkResponseList ld 0x1942aa0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1942aa0 NULL ldap_int_select read1msg: ld 0x1942aa0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 31 contents: read1msg: ld 0x1942aa0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1942aa0 0 new referrals read1msg: mark request completed, ld 0x1942aa0 msgid 1 request done: ld 0x1942aa0 msgid 1 res_errno: 1, res_error: <TLS already started>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_start_tls: Operations error (1) additional info: TLS already started
]# ldapsearch -d 1 -x -b "dc=ibm,dc=com" -H 'ldaps://localhost' -ZZ ldap_url_parse_ext(ldaps://localhost) ldap_create ldap_url_parse_ext(ldaps://localhost:636/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com, issuer: /C=IN/ST=HR/L=GGN/O=SAPIENT/OU=ISST/CN=localhost/emailAddress=akumar@sap.com TLS certificate verification: Error, self signed certificate TLS certificate verification: depth: 0, err: 18, subject: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com, issuer: /C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=localhost/emailAddress=akumar@sap.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A TLS: unable to get peer certificate. ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x2172aa0 msgid 1 wait4msg ld 0x2172aa0 msgid 1 (infinite timeout) wait4msg continue ld 0x2172aa0 msgid 1 all 1 ** ld 0x2172aa0 Connections: * host: localhost port: 636 (default) refcnt: 2 status: Connected last used: Thu Nov 15 12:14:16 2012
** ld 0x2172aa0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x2172aa0 request count 1 (abandoned 0) ** ld 0x2172aa0 Response Queue: Empty ld 0x2172aa0 response count 0 ldap_chkResponseList ld 0x2172aa0 msgid 1 all 1 ldap_chkResponseList returns ld 0x2172aa0 NULL ldap_int_select read1msg: ld 0x2172aa0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 31 contents: read1msg: ld 0x2172aa0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x2172aa0 0 new referrals read1msg: mark request completed, ld 0x2172aa0 msgid 1 request done: ld 0x2172aa0 msgid 1 res_errno: 1, res_error: <TLS already started>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_start_tls: Operations error (1) additional info: TLS already started
slapd.conf
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /apps/openldap/var/run/slapd.pid argsfile /apps/openldap/var/run/slapd.args
# Load dynamic backend modules: # modulepath /app/openldap/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read #access to * #by self write #by users read #by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ### logging ### logfile /apps/logs/ldap loglevel 16640 ####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=ibm,dc=com" # Restrict userPassword to be used for authentication only, but allow users to modify # their own passwords. access to attrs=userPassword by self write by * auth
# Simple ACL granting read access to the world access to * by * read rootdn "cn=Manager,dc=ibm,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged.
rootpw {SSHA}dXDFS3TAzYf8DrDSYWY
################## SSL ########################################## # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem TLSCertificateFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem TLSCertificateKeyFile /apps/openldap/etc/openldap/certs/mmprodadm04.pem #
#################################################################### #Replication Configuration overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 index entryCSN,entryUUID eq
serverid 2 ## DR ldap server replication syncrepl rid=444 provider=ldap://10.x.x.x:636 binddn="cn=Manager,dc=ibm,dc=com" bindmethod=simple credentials=xxxxxxxx starttls=yes tls_reqcert=never searchbase="dc=ibm,dc=com" type=refreshAndPersist retry="5 5 300 +" interval=00:00:00:10
syncrepl rid=777 provider=ldap://10.x.x.x:636 binddn="cn=Manager,dc=ibm,dc=com" bindmethod=simple credentials=xxxxxxxxx starttls=yes tls_reqcert=never searchbase="dc=ibm,dc=com" type=refreshAndPersist retry="5 5 300 +" interval=00:00:00:10
#### mirrormode true ####ache Entries ##### cachesize 3000000 lastmod on checkpoint 128 15 concurrency 100 #database monitor # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /apps/openldap/var/openldap-data # Indices to maintain #index objectClass eq index mail,uid,postalCode,smail,channelType,channelValue,answer,behavName,objectclass,tokenID,type eq index givenName,sn,city,question,behavValue,cn,extName sub index displayName approx
my ldap.conf file URI ldaps://localhost BASE dc=ibm,dc=com ssl start_tls ssl on tls_checkpeer no TLS_REQCERT allow tls_cacertfile /apps/openldap/etc/openldap/certs/mmprodam04.pem tls_cacertdir /apps/openldap/etc/openldap/certs
I am using self signed certificate,
Please let me know if i am going wrong.