I have created a set of self signed certs for my master and a slave. Clients can connect to either with the cert installed on the client but I am having trouble getting them to talk to each over TLS. I want the master to replicate to the slave over TLS but can't get it to work. Strangely I have it working the other way; the slave can bind to the master over TLS but the master cannot bind to the slave. I have TLS_CACERTDIR set correctly with the certs installed in that location (with symlinks being created) but I am still getting the self signed cert error when trying to bind.
Debig output:
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: ........ TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--On Tuesday, October 17, 2006 2:29 PM -0700 "Josh M. Hurd" JoshH@revenuescience.com wrote:
I have created a set of self signed certs for my master and a slave. Clients can connect to either with the cert installed on the client but I am having trouble getting them to talk to each over TLS. I want the master to replicate to the slave over TLS but can't get it to work. Strangely I have it working the other way; the slave can bind to the master over TLS but the master cannot bind to the slave. I have TLS_CACERTDIR set correctly with the certs installed in that location (with symlinks being created) but I am still getting the self signed cert error when trying to bind.
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: ........ TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA
Well, it can't find the CA that signed the cert. Have you configured ldap.conf properly for both systems?
I'll note that if the client binding to the master works over TLS, and assuming you are using a modern version of OpenLDAP (read 2.3.27 or later), then you could use syncrepl.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Josh M. Hurd wrote:
I have created a set of self signed certs for my master and a slave. Clients can connect to either with the cert installed on the client but I am having trouble getting them to talk to each over TLS. I want the master to replicate to the slave over TLS but can't get it to work. Strangely I have it working the other way; the slave can bind to the master over TLS but the master cannot bind to the slave. I have TLS_CACERTDIR set correctly with the certs installed in that location (with symlinks being created) but I am still getting the self signed cert error when trying to bind.
Debig output:
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: ........ TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
What if you add
TLS_REQCERT allow
to /etc/ldap.conf or /etc/openldap/ldap.conf
openldap-software@openldap.org
-
Josh M. Hurd -
Quanah Gibson-Mount -
Sadique Puthen