Hi,
I installed Openldap 2.4.11-1 on two Debian Lenny servers (srv3, srv4), in mastrer-slave configuration. I wanted to create secure connection for syncrepl. srv3 is the master (provider) and srv4 is the slave (consumer). While I didn't use secure connection, the ldapsearch, and syncrepl worked. After I set up secure connection, syncrepl didn't work. I start slapd with -h ldap://127.0.0.1/ ldaps:/// on both servers.
ldapsearch partially works: Works from srv3: ldapsearch -H ldaps://srv3.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldaps://srv4.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
Works from srv4: ldapsearch -H ldaps://srv4.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
*_Doesn't_work_from_srv4_:* ldapsearch -H ldaps://srv3.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" Enter LDAP Password: **(after i give the password, it waits 1-2 seconds)** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On srv3:
/etc/ldap/ldap.conf: host 127.0.0.1 base dc=mydomain,dc=site logdir /var/lib/ldap/log TLS_REQCERT hard TLS_CACERT /etc/ssl/certs/cacert.pem
slapd.conf: ######################################### # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel conns stats filter idletimeout 30 modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov sizelimit unlimited tool-threads 1 TLSCertificateFile /etc/ssl/certs/srv3cert.pem TLSCertificateKeyFile /etc/ssl/private/srv3key.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSVerifyClient never
####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb database hdb suffix "dc=mydomain,dc=site" rootdn "cn=adm,dc=mydomain,dc=site" rootpw {SSHA}....... directory "/var/lib/ldap" dbconfig set_cachesize 0 100000000 1 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 524288 dbconfig set_lg_dir /var/lib/ldap/log dbconfig set_flags DB_LOG_AUTOREMOVE index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index sambaSIDList eq index sambaGroupType eq index entryCSN,entryUUID eq lastmod on checkpoint 512 30
access to * by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read by * break
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange by dn="cn=admin,dc=mydomain,dc=site" write by dn="cn=replicator,dc=mydomain,dc=site" read by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,dc=mydomain,dc=site" write by dn="cn=replicator,dc=mydomain,dc=site" read by self write by * read
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
On srv4: /etc/ldap/ldap.conf: host 127.0.0.1 logdir /var/lib/ldap/log TLS_REQCERT hard TLS_CACERT /etc/ssl/certs/cacert.pem
Thanks, Tamas.