Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
slapd is 2.3.31 master = erde.aag slave = mond.aag
both compiled with:
./configure \ '--prefix=/usr/local/ldap' \ '--mandir=/usr/local/ldap/man' \ '--libexecdir=/usr/local/ldap/sbin' \ '--sysconfdir=/etc' \ '--with-configdir=/etc/ldap' \ '--with-subdir=ldap' \ '--enable-spasswd' \ '--enable-modules' \ '--enable-hdb' \ '--enable-overlays' \ '--enable-slurpd' \ (- will put this out when syncrepl works) '--with-cyrus-sasl' \ '--with-tls'
Here the concerning parts of the slapd.conf: ***************************************************************** master: ... overlay syncprov syncprov-checkpoint 100 600 syncprov-sessionlog 100 ... authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
limits dn.exact="cn=repl,dc=aag" size=unlimited time=unlimited
access to * by dn.exact="cn=repl,dc=aag" read by * none break ... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem TLSVerifyClient demand
***************************************************************** slave:
... overlay syncprov syncrepl rid=001 provider=ldap://erde.aag:389 searchbase="dc=aag" type=refreshOnly filter="objectClass=*" attrs="*,+" schemachecking=off scope=sub interval=00:00:01:00 updatedn "cn=repl,dc=aag" updateref="ldap://erde.aag:389" bindmethod=sasl saslmech=EXTERNAL
authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
access to * by dn="cn=repl,dc=aag" write by * read break
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem TLSVerifyClient demand **********
syncrepl with bindmethod simple works fine with user repl.
***************************************************************** manual connection from the slave as client with the same certs I will use for syncrepl works:
ldapsearch -Y external -ZZ cn=repl -h erde.aag -LLL SASL/EXTERNAL authentication started SASL username: emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH SASL SSF: 0 dn: cn=repl,dc=aag objectClass: simpleSecurityObject objectClass: organizationalRole cn: repl description: LDAP replicator
*****************************************************************
When I start the slave for the firt replication with sasl external:
snip... =>do_syncrepl rid 001 ldap_create ldap_url_parse_ext(ldap://erde.aag:389) ldap_sasl_interactive_bind_s: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP erde.aag:389 ldap_new_socket: 13 ldap_prepare_socket: 13 ldap_connect_to_host: Trying 192.168.100.72:389 ldap_connect_timeout: fd: 13 tm: -1 async: 0 ldap_int_sasl_open: host=192.168.100.72 do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (-6)
and on the master:
daemon: activity on 1 descriptor daemon: activity on:
slap_listener(ldap:///)daemon: listen=8, new connection on 12
daemon: added 12r (active) listener=(nil) conn=21 fd=12 ACCEPT from IP=192.168.100.73:60625 (IP=0.0.0.0:389) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 connection_get(12) connection_get(12): got connid=21 connection_read(12): checking for input on id=21 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 01 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x082abc08 ptr=0x082abc08 end=0x082abc0d len=5 0000: 02 01 01 42 00 ...B. ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success) connection_read(12): input error=-2 id=21, closing. connection_closing: readying conn=21 sd=12 for close connection_close: deferring conn=21 sd=12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL do_unbind conn=21 op=0 UNBIND connection_resched: attempting closing conn=21 sd=12 connection_close: conn=21 sd=12 daemon: removing 12 conn=21 fd=12 closed ()
thank you very much angela
--On Friday, March 02, 2007 5:14 PM +0100 Angela Gavazzi edv@goetheanum.ch wrote:
Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
slapd is 2.3.31
I don't know the answer to your question, but you definitely want to upgrade to at least 2.3.32. There was a serious bug in the connection code of 2.3.31 from a bad patch merge (my fault).
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Hi,
Angela Gavazzi edv@goetheanum.ch writes:
Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
[...]
slave:
... overlay syncprov syncrepl rid=001 provider=ldap://erde.aag:389 searchbase="dc=aag" type=refreshOnly filter="objectClass=*" attrs="*,+" schemachecking=off scope=sub interval=00:00:01:00 updatedn "cn=repl,dc=aag" updateref="ldap://erde.aag:389" bindmethod=sasl saslmech=EXTERNAL
Is the relevant ldaprc pointing to the certificate?
authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?
-Dieter
Dieter Kluenter wrote:
Hi,
Angela Gavazzi edv@goetheanum.ch writes:
Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
[...]
slave:
... overlay syncprov syncrepl rid=001 provider=ldap://erde.aag:389 searchbase="dc=aag" type=refreshOnly filter="objectClass=*" attrs="*,+" schemachecking=off scope=sub interval=00:00:01:00 updatedn "cn=repl,dc=aag" updateref="ldap://erde.aag:389" bindmethod=sasl saslmech=EXTERNAL
Is the relevant ldaprc pointing to the certificate?
authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?
If the above works, I think you'll need to add
starttls=critical
to your syncrepl configuration, and make sure TLS is configured OK both in the producer (see slapd.conf(5)) and in the consumer (see ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the user-specific ldap.conf(5), and that TLS_REQCERT in the consumer's ldap.conf(5) and TLSVerifyClient in the producer's slapd.conf(5) are set to something like "demand", so that certificates are checked for sure by both peers.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Am Samstag, 3. März 2007 00:04 schrieb Pierangelo Masarati:
Dieter Kluenter wrote:
Hi,
Angela Gavazzi edv@goetheanum.ch writes:
Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
[...]
slave:
... overlay syncprov syncrepl rid=001 provider=ldap://erde.aag:389 searchbase="dc=aag" type=refreshOnly filter="objectClass=*" attrs="*,+" schemachecking=off scope=sub interval=00:00:01:00 updatedn "cn=repl,dc=aag" updateref="ldap://erde.aag:389" bindmethod=sasl saslmech=EXTERNAL
Hi, first I updated to 2.3.32 as Quanah wrote.
Is the relevant ldaprc pointing to the certificate?
... from man Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file. The file ldaprc in the current working directory is also used.
So I thought that ldap.conf is enough.
Apologize the question: Where should ldaprc/.ldaprc be, if the ldapuser has no shell? Or what's the current working directory from openldap?
The homedir from ldapuser is /usr/local/ldap. I put the ldaprc therein, I tried also /etc/ldap and tried to start slapd with -r / - only for testing - and put it in there, but it makes no difference.
That's my ldap.conf
BASE dc=aag URI ldap://erde.aag:389
TLS_CACERT /etc/ldap/certs/cacert.pem TLS_CERT /etc/ldap/certs/mond.aag_cert.pem TLS_KEY /etc/ldap/certs/mond.aag_key.pem
authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?
ldapwhoami -Yexternal -ZZ ldap://mond.aag SASL/EXTERNAL authentication started SASL username: emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH SASL SSF: 0 dn:email=edv@goetheanum.ch,cn=mond.aag,ou=goetheanum,o=allgemeine anthroposophische gesellschaft,l=dornach,st=switzerland,c=ch Result: Success (0)
If the above works, I think you'll need to add
starttls=critical
I did it and got this now:
TLS certificate verification: depth: 0, err: 18, subject: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch, issuer: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. Error: rid 001 ldap_start_tls failed (-11)
So I understand that openldap doesn't recognize the CA, but at the moment I don't know how to solve this. It makes no difference if I start slapd as root, even if my ldapsearch as root works. I'm sure all cert and key files are accessible by the ldapuser.
Thank's to all Angela
to your syncrepl configuration, and make sure TLS is configured OK both in the producer (see slapd.conf(5)) and in the consumer (see ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the user-specific ldap.conf(5),
see below*
and that TLS_REQCERT in the consumer's ldap.conf(5)
TLS_REQCERT require
and TLSVerifyClient in the producer's slapd.conf(5) are set
TLSVerifyClient demand
to something like "demand", so that certificates are checked for sure by both peers.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it
Hi Angela,
just got SASL EXTERNAL to work with syncrepl today. I am not sure, if .ldaprc and others play role here. Consumer ldap server should have a certificate, which you configure in your slapd.conf (man slapd.conf) or otherwise in config backend. If I am not confusing anything you should have set
TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile
What's happening with you is that you most probably use self-signed certificate. It is not good. I would suggest you to setup your own CA and issue certificates to both consumer and provider.
best regards, vadim tarassov
On Mon, 2007-03-05 at 12:32 +0100, Angela Gavazzi wrote:
Am Samstag, 3. März 2007 00:04 schrieb Pierangelo Masarati:
Dieter Kluenter wrote:
Hi,
Angela Gavazzi edv@goetheanum.ch writes:
Hallo!
I'm trying to set up a replication with syncrepl and saslmech
external
and it wont succeed.
I was reading a lot but I really don't see where the problem is
now and
don't know how to continue. So I really would appreciate if
somebody
could point me to the probable error.
Please let me know if you need more infos.
[...]
slave:
...
overlay syncprov
syncrepl rid=001
provider=ldap://erde.aag:389
searchbase="dc=aag"
type=refreshOnly
filter="objectClass=*"
attrs="*,+"
schemachecking=off
scope=sub
interval=00:00:01:00
updatedn "cn=repl,dc=aag"
updateref="ldap://erde.aag:389"
bindmethod=sasl
saslmech=EXTERNAL
Hi, first I updated to 2.3.32 as Quanah wrote.
Is the relevant ldaprc pointing to the certificate?
... from man
Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file.
The file ldaprc in the current working directory is also used.
So I thought that ldap.conf is enough.
Apologize the question:
Where should ldaprc/.ldaprc be, if the ldapuser has no shell?
Or what's the current working directory from openldap?
The homedir from ldapuser is /usr/local/ldap. I put the ldaprc therein, I tried also /etc/ldap and tried to start slapd with -r / - only for testing - and put it in there, but it makes no difference.
That's my ldap.conf
BASE dc=aag
URI ldap://erde.aag:389
TLS_CACERT /etc/ldap/certs/cacert.pem
TLS_CERT /etc/ldap/certs/mond.aag_cert.pem
TLS_KEY /etc/ldap/certs/mond.aag_key.pem
authz-regexp
"C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische
Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch"
"ldap:///dc=aag??one? (cn=repl)"
What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag?
ldapwhoami -Yexternal -ZZ ldap://mond.aag
SASL/EXTERNAL authentication started
SASL username: emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH
SASL SSF: 0
dn:email=edv@goetheanum.ch,cn=mond.aag,ou=goetheanum,o=allgemeine anthroposophische gesellschaft,l=dornach,st=switzerland,c=ch
Result: Success (0)
If the above works, I think you'll need to add
starttls=critical
I did it and got this now:
TLS certificate verification: depth: 0, err: 18, subject: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch, issuer: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische Gesellschaft/OU=Goetheanum/CN=erde.aag/emailAddress=edv@goetheanum.ch
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
Error: rid 001 ldap_start_tls failed (-11)
So I understand that openldap doesn't recognize the CA, but at the moment I don't know how to solve this.
It makes no difference if I start slapd as root, even if my ldapsearch as root works. I'm sure all cert and key files are accessible by the ldapuser.
Thank's to all
Angela
to your syncrepl configuration, and make sure TLS is configured OK
both
in the producer (see slapd.conf(5)) and in the consumer (see
ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the
user-specific ldap.conf(5),
see below*
and that TLS_REQCERT in the consumer's ldap.conf(5)
TLS_REQCERT require
and TLSVerifyClient in the producer's slapd.conf(5) are set
TLSVerifyClient demand
to something like "demand", so that certificates are checked for
sure by
both peers.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
openldap-software@openldap.org
-
Angela Gavazzi -
Dieter Kluenter -
Pierangelo Masarati -
Quanah Gibson-Mount -
vadim