Re: Delta-Sync w/ TLS troubles
On Tuesday 30 June 2009 21:12:08 Peter Clark wrote:
Hello,
I have a FreeBSD 7.2 Release box with openldap-2.4.16 installed on it. I
have followed the Admin guide to setting up Delta-Sync replication and
it works as long as I do not use either the "ldaps" or "starttls=yes"
on
the slave. ie:
syncrepl rid=0
provider=ldap://joe.pdq.edu
starttls=yes
bindmethod=simple
binddn="cn=ldaproot,dc=pdq,dc=edu"
credentials="XXXXXXXXX"
searchbase="dc=pdq,dc=edu"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
or
syncrepl rid=0
provider=ldaps://joe.pdq.edu
bindmethod=simple
binddn="cn=ldaproot,dc=mtmary,dc=edu"
credentials="XXXXXXXX"
searchbase="dc=pdq,dc=edu"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
I note you don't have the tls_cacert or tls_cacertdir option specified, and
neither the tls_reqcert, or tls_crlcheck options.
I have set my loglevel to -1 on both boxes and the only thing that shows
up in the logs referring to tls is:
(Master server)
slapd[9572]: conn=1 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[9572]: do_extended: oid=1.3.6.1.4.1.1466.20037
slapd[9572]: conn=1 op=0 STARTTLS
slapd[9572]: send_ldap_extended: err=0 oid= len=0
slapd[9572]: send_ldap_response: msgid=1 tag=120 err=0
slapd[9572]: conn=1 op=0 RESULT oid= err=0 text=
slapd[9572]: daemon: activity on 1 descriptor
slapd[9572]: connection_read(16): checking for input on id=1
slapd[9572]: connection_read(16): TLS accept failure error=-1 id=1, closing
slapd[9572]: connection_closing: readying conn=1 sd=16 for close
slapd[9572]: connection_close: conn=1 sd=16
slapd[9572]: daemon: removing 16
slapd[9572]: conn=1 fd=16 closed (TLS negotiation failure)
(Slave Server)
slapd[10846]: =>do_syncrepl rid=000
slapd[10846]: daemon: activity on 1 descriptor
slapd[10846]: daemon: waked
slapd[10846]: daemon: select: listen=6 active_threads=0 tvp=zero
lapd[10846]: daemon: select: listen=7 active_threads=0 tvp=zero
slapd[10846]: daemon: select: listen=8 active_threads=0 tvp=zero
slapd[10846]: daemon: select: listen=9 active_threads=0 tvp=zero
slapd[10846]: slap_client_connect: URI=ldap://joe.pdq.edu Warning,
ldap_start_tls failed (-11)
slapd[10846]: slap_client_connect: URI=ldap://joe.pdq.edu
DN="cn=ldaproot,dc=pdq,dc=edu" ldap_sasl_bind_s failed (-1)
Is there some way to see what exactly is failing between the units? I
have tried the credentials line with quotes around the password and
without. I have made sure the provider= the fqdn of the master. Any help
would be appreciated.
Can you use start_tls with an OpenLDAP client ? E.g. does:
$ ldapwhoami -x -ZZ -H ldap://joe.pdq.edu
work ?
If not, then you need to consider the usual certificate validation rules:
-Server must have a server cert
-Cert (chain) must be signed by a trusted CA certificate available locally on
the client
-The subject CN on the cert must match the hostname you are using to connect
as
If your syncrepl configuration for TLS must differ from that for the OpenLDAP
command-line clients, you must specify the tls_ options in the syncrepl
statement, otherwise I believe setting them in the OpenLDAP ldap.conf is
sufficient (and then you can test with the OpenLDAP commandline clients).
If you still don't come right, then you should make logging more verbose on
the client side ...
Regards,
Buchan