(ITS#8302) The chain-tls failure - openldap-bugs

5 Nov 2015


      Full_Name: Ben Huang
Version: 2.4.37
OS: Ubuntu 12.04.4 LTS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (202.130.86.130)
Two servers: Provider (A public IP) and Consumer (A private IP) both running
slap
2.4.37 and ubuntu 12.04. Replica is a replication partner of Provider using
syncrepl. Replication and TLS is working fine. When I attempt to add a chain
overlay
to Replica to send all writes over to the Privder, I cannot enable TLS from the
consumer to the ldap Provider.
Here is my overlay config using the rootDN and TLS (on Replica):
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b
olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbStartTLS: none  starttls=no
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {1}ldap
olcDbURI: "ldap://provider.example.com"
olcDbStartTLS: start starttls=no
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm
 ethod=simple timeout=0 network-timeout=0 binddn="cn=admin,dc=ufreight,dc=com"
  credentials="password" keepalive=0:0:0
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
With above configuration, I run following command is ok:
#ldapsearch -xLLL -H ldap://ldap-u1.ufreight.com -ZZ uid=testuser dn
dn: uid=testuser,ou=People,dc=ufreight,dc=com
But below errors occurred when I try to add an entry on consumer.
ldapadd -x -D "cn=admin,dc=ufreight,dc=com" -w password -f add_user.ldif -ZZ
adding new entry "uid=test,ou=People,dc=ufreight,dc=com"
ldap_add: Server is unavailable (52)
Consumer LDAP logs:
No 5 1 19:12:28 consumer slapd[6575]: conn=1005 fd=16 ACCEPT from
IP=127.0.0.1:41018 (IP=0.0.0.0:389)
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 STARTTLS
Nov  5 19:12:29 consumer slapd[6575]: conn=1005 op=0 RESULT oid= err=0 text=
Nov  5 19:12:30 consumer slapd[6575]: conn=1005 fd=16 TLS established
tls_ssf=128 ssf=128
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 BIND
dn="cn=admin,dc=ufreight,%c=com" method=128
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 BIND
dn="cn=admin,dc=ufreight,dc=com" mech=SIMPLE ssf=0
Nov  5 19:12:31 consumer slapd[6575]: conn=1005 op=1 RESULT tag=97 err=0 text=
Nov  5 19:12:32 consumer slapd[6575]: conn=1005 op=2 ADD
dn="uid=test,ou=People,dc=ufreight,dc=com"
Nov  5 19:12:32 consumer slapd[6575]: conn=1005 op=2 RESULT tag=105 err=52
text=
Nov  5 19:12:33 consumer slapd[6575]: conn=1005 op=3 UNBIND
Nov  5 19:12:33 consumer slapd[6575]: conn=1005 fd=16 closed
Provider LDAP logs:
Nov  5 19:11:18 provider slapd[17011]: conn=312743 fd=13 ACCEPT from
IP=140.207.172.138:39551 (IP=0.0.0.0:389)
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 STARTTLS
Nov  5 19:11:18 provider slapd[17011]: conn=312743 op=0 RESULT oid= err=0 text=
Nov  5 19:11:19 provider slapd[17011]: conn=312743 fd=13 closed (TLS negotiation
failure)
Any suggestion what cause TLS negotiation failure? Thank you very much.