RUMI Szabolcs rumi_ml@rtfm.hu writes:
Hello!
On Thu, 20 Dec 2007 11:03:44 -0500 "Chris G. Sellers" chris.sellers@nitle.org wrote:
I have setup sync replication on two OpenLDAP servers. I have it successfully working via ldap://:389
I then setup TLS for SSL connections. I used a self signed cert (using the OpenLDAP how-to) as well as a CAsigned cert from cacert.org. I've setup the ca.crt in the ldap.conf file on both the master and slave. I've also setup the ca.cert in the TLS for the master server that the sync repl host connects to.
I've tested the cert with a connection via ldap -Z and -d debug option and seen that the cert appears to be validated.
So, when I turn on ldaps:// for the syncrepl section of the slave server, and use port 389 I get a bind error
ldaps:// is a server initiated tls session, while starttls on ldap:// is a client initiated tls session. Don't forget that syncrepl is a client connection to the server.
[...]
which suggests that the connection could not be made on port 389 via TLS. I can't figure out how to tell the repl connection to send a certificate. Do I have to setup a user in LDAP with a cert? Do I put a client cert into the syncrepl section of the slapd.conf file on the slave? Please advise.
as already mentioned, syncrepl is a client operation, thus ldap.conf(5) would be applicable, but slapd.conf(5) has in addition configuration parameters, just search for syncrepl.
Indeed, I have also found that in the OpenLDAP documentation there are no directions about what kind of cert should be used for a syncrepl consumer, nor about how they could be specified - one may guess that one has to use the tls-related suboptions of the syncrepl option but there are no directions, no examples, no nothing. And then it does not work in the first place and does not have usable log or even debug output either...
read the docs carefully! And think twice!
[...]
When I set up normal SSL with provider="ldaps://<host>:636" then I simply get the same error you're getting and even with debug mode I could not get any details about the TLS/SSL handshake or what exactly the problem is.
First test with openssl tools, like s_client(1).
IMHO it is extremely harsh how the self-signed certs are treated by OpenLDAP. In the majority of cases this is forcing people (after many hours of struggling) to use "TLS_REQCERT never" or similar settings, which ends up being a lot more insecure than it would be to accept a known self-signed cert... Not to mention that the syncrepl suboption "tls_reqcert=never" is apparently ignored so practically I've found that syncrepl is currently inoperable with any form of encryption. Is there anybody who could tell me what this is good for?
I do understand your frustration, but that is mostly due to not reading the proper documentation. Forget about google, the only relevant source of information is: http://www.openssl.org/docs/
I have no problems creating a valid certificate chain with the openssl tools, just modify openssl.cnf to your requirements:
./CA.pl -newca ./Ca.pl -newreq ./CA.pl -sign openssl rsa -in newreq.pem -out mykey.pem mv newcert.pem mycert.pem ./CA.pl -verify mycert.pem
-Dieter