Good Morning,
I need some help understanding why thing are the way they are. All nodes run slapd 2.3.34 slurpd 2.3.34 on Fedora 7 All nodes keys are self authenticated, i.e. links to from hash.
!!The Problem!! ldapsearch works to NodeB server, iff NodeB_key is present on NodeA slurpd works to NodeB server, iff NodeB_key is present on NodeA
Node A - ldap master/client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem /etc/pki/tls/certs/NodeA_key.pem ldapsearch works to NodeA ldap server. /etc/pki/tls/certs/NodeB_key.pem <--Why is this required? ldapsearch works to NodeB server, iff NodeB_key is present on NodeA slurpd works to NodeB server, iff NodeB_key is present on NodeA
Node B - ldap slave/client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem /etc/pki/tls/certs/NodeB_key.pem ldapsearch works to all ldap servers.
Node C - ldap client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem No Keys present ldapsearch works to all ldap servers.
More details can be provied.
On Fri, 25 Jan 2008, Steve Pribyl wrote:
I need some help understanding why thing are the way they are.
...
All nodes keys are self authenticated, i.e. links to from hash.
("Self authenticated"? You mean they're self-signed certificates? What do you mean by "links to from hash"?)
!!The Problem!! ldapsearch works to NodeB server, iff NodeB_key is present on NodeA slurpd works to NodeB server, iff NodeB_key is present on NodeA
Node A - ldap master/client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem /etc/pki/tls/certs/NodeA_key.pem ldapsearch works to NodeA ldap server. /etc/pki/tls/certs/NodeB_key.pem <--Why is this required? ldapsearch works to NodeB server, iff NodeB_key is present on NodeA slurpd works to NodeB server, iff NodeB_key is present on NodeA
ldapsearch and slurpd need to verify the cert of the server that they talks to by checking its signature against the CA that signed it. Furthermore, the CA cert must be in its list of trusted CAs. That's the cert itself for self-signed certs. From the above, it appears that ldapsearch and slurpd use /etc/pki/tls/certs/ as the CA certs directory. I would guess that your system's OpenSSL uses that as its compiled in default. That, or your ldap.conf or .ldaprc has a TLS_CACERTDIR line naming that directory. (Don't know the ldap.conf path? Check the manpage!)
Node B - ldap slave/client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem /etc/pki/tls/certs/NodeB_key.pem ldapsearch works to all ldap servers.
So what's the ldap.conf and .ldaprc on node B look like?
Node C - ldap client /etc/ldap/cacerts/NodeA_pub.pem /etc/ldap/cacerts/NodeB_pub.pem No Keys present ldapsearch works to all ldap servers.
Same question as node B.
Philip Guenther
openldap-software@openldap.org