Hi guys i have a slight problem with syncrepl only when using ssl.
When i use syncrepl without ssl the replication process works fine.
I can access the master ldap server fine over ssl as well as the consumer but replication doesn't work
Both have the same cacert
Here's the Consumer part of the slapd.conf:
syncrepl rid=1 provider=ldaps://master.xxx.com:636 binddn="cn=repadmin,dc=xxx,dc=com" bindmethod=simple searchbase="dc=xxx,dc=com" type=refreshOnly interval=00:01:00:00 filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off credentials=xxxxxx
If i change to this it works fine:
syncrepl rid=1 provider=ldap://master.xxx.com:389 binddn="cn=repadmin,dc=xxx,dc=com" bindmethod=simple searchbase="dc=xxx,dc=com" type=refreshOnly interval=00:01:00:00 filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off credentials=xxxxxx
Help is appreciated TIA -James
James james@nttmcl.com writes:
Hi guys i have a slight problem with syncrepl only when using ssl.
When i use syncrepl without ssl the replication process works fine.
I can access the master ldap server fine over ssl as well as the consumer but replication doesn't work
Both have the same cacert
Here's the Consumer part of the slapd.conf:
syncrepl rid=1 provider=ldaps://master.xxx.com:636 binddn="cn=repadmin,dc=xxx,dc=com" bindmethod=simple searchbase="dc=xxx,dc=com" type=refreshOnly interval=00:01:00:00 filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off credentials=xxxxxx
And what is the TLS part of the consumer slapd.conf looking like?
-Dieter
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
Hi guys i have a slight problem with syncrepl only when using ssl.
When i use syncrepl without ssl the replication process works fine.
I can access the master ldap server fine over ssl as well as the consumer but replication doesn't work
Both have the same cacert
Here's the Consumer part of the slapd.conf:
syncrepl rid=1 provider=ldaps://master.xxx.com:636 binddn="cn=repadmin,dc=xxx,dc=com" bindmethod=simple searchbase="dc=xxx,dc=com" type=refreshOnly interval=00:01:00:00 filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off credentials=xxxxxx
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
Dieter Kluenter wrote:
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
Hi guys i have a slight problem with syncrepl only when using ssl.
When i use syncrepl without ssl the replication process works fine.
I can access the master ldap server fine over ssl as well as the consumer but replication doesn't work
Both have the same cacert
Here's the Consumer part of the slapd.conf:
syncrepl rid=1 provider=ldaps://master.xxx.com:636 binddn="cn=repadmin,dc=xxx,dc=com" bindmethod=simple searchbase="dc=xxx,dc=com" type=refreshOnly interval=00:01:00:00 filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off credentials=xxxxxx
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,postfix,messagebus URI ldaps://master.example.com BASE dc=example,dc=com ldap_version 3 pam_password exop ssl on tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT allow
Hi,
James james@nttmcl.com writes:
Dieter Kluenter wrote:
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
[...]
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,postfix,messagebus URI ldaps://master.example.com BASE dc=example,dc=com ldap_version 3 pam_password exop ssl on tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT allow
Most of this are not valid parameters for OpenLDAP. This file is a mixture of pam_ldap.conf and openldap/ldap.conf
-Dieter
Dieter Kluenter wrote:
Hi,
James james@nttmcl.com writes:
Dieter Kluenter wrote:
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
[...]
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,postfix,messagebus URI ldaps://master.example.com BASE dc=example,dc=com ldap_version 3 pam_password exop ssl on tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT allow
Most of this are not valid parameters for OpenLDAP. This file is a mixture of pam_ldap.conf and openldap/ldap.conf
-Dieter
does that cause problems? because i just symlink libnss-ldap.conf and pam_ldap.conf to ldap.conf for ease of management If it does cause problems can you give me an example of what to separate out where? TIA -James
James james@nttmcl.com writes:
Dieter Kluenter wrote:
Hi,
James james@nttmcl.com writes:
Dieter Kluenter wrote:
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
[...]
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,postfix,messagebus URI ldaps://master.example.com BASE dc=example,dc=com ldap_version 3 pam_password exop ssl on tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT allow
Most of this are not valid parameters for OpenLDAP. This file is a mixture of pam_ldap.conf and openldap/ldap.conf
does that cause problems? because i just symlink libnss-ldap.conf and pam_ldap.conf to ldap.conf for ease of management If it does cause problems can you give me an example of what to separate out where?
It may cause problems in so far, that clients may refuse to recognise the file contents as valid parameters. You may strace or truss the slapd pid to view the files opend and read.
-Dieter
Dieter Kluenter wrote:
James james@nttmcl.com writes:
Dieter Kluenter wrote:
Hi,
James james@nttmcl.com writes:
Dieter Kluenter wrote:
"Dieter Kluenter" dieter@dkluenter.de writes:
James james@nttmcl.com writes:
[...]
And what is the TLS part of the consumer slapd.conf looking like?
Sorry, my fault, it should read ldap.conf
-Dieter
timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,postfix,messagebus URI ldaps://master.example.com BASE dc=example,dc=com ldap_version 3 pam_password exop ssl on tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT allow
Most of this are not valid parameters for OpenLDAP. This file is a mixture of pam_ldap.conf and openldap/ldap.conf
does that cause problems? because i just symlink libnss-ldap.conf and pam_ldap.conf to ldap.conf for ease of management If it does cause problems can you give me an example of what to separate out where?
It may cause problems in so far, that clients may refuse to recognise the file contents as valid parameters. You may strace or truss the slapd pid to view the files opend and read.
-Dieter
just for reference in case anybody else happens to have this little problem. I solved it by stripping the password from the key ssl files on the master and slave servers running ldaps: so that they didn't prompt for password when i start slapd like: openssl rsa -in master.key -out master.key.clear
openldap-software@openldap.org