Hi,
I am trying to setup a replication server using Openldap-2.3.27. I have set it up (detailed below) and I get on the slave
TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
What is really strange is that I can log on and make manual modifications to the slave from the master as the replication user with the password specified in slapd.conf (yes, over tls!).
I was thinking it might be because of differing ssl versions, but I tried switching to SSLv3 and the config file and it had no effect.
Does any one have some tips that would help me additionally debug this problem or get an idea of where the failure is?
// Relevant config file lines on master replica host=<<hostname>>:636 binddn="cn=replicator,dc=hmc,dc=edu" tls=yes bindmethod=simple credentials=<<password>>
// Relevant config lines on slave TLSCipherSuite HIGH:MEDIUM:+SSLv3
updatedn "cn=replicator,dc=hmc,dc=edu" updateref ldaps://<<ref>>
Thanks, Andrew
Andrew Higginbotham wrote:
Hi,
I am trying to setup a replication server using Openldap-2.3.27. I have set it up (detailed below) and I get on the slave
TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
What is really strange is that I can log on and make manual modifications to the slave from the master as the replication user with the password specified in slapd.conf (yes, over tls!).
I was thinking it might be because of differing ssl versions, but I tried switching to SSLv3 and the config file and it had no effect.
Does any one have some tips that would help me additionally debug this problem or get an idea of where the failure is?
// Relevant config file lines on master replica host=<<hostname>>:636 binddn="cn=replicator,dc=hmc,dc=edu" tls=yes bindmethod=simple credentials=<<password>>
If you're using port 636 then you're most likely using ldaps. You need to use an ldaps:// uri here, not the host/tls options.
// Relevant config lines on slave TLSCipherSuite HIGH:MEDIUM:+SSLv3
updatedn "cn=replicator,dc=hmc,dc=edu" updateref ldaps://<<ref>>
Thanks, Andrew
.
On Wed, Nov 15, 2006 at 12:46:20PM -0800, Howard Chu wrote:
Andrew Higginbotham wrote:
Hi,
I am trying to setup a replication server using Openldap-2.3.27. I have set it up (detailed below) and I get on the slave
TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
What is really strange is that I can log on and make manual modifications to the slave from the master as the replication user with the password specified in slapd.conf (yes, over tls!).
I was thinking it might be because of differing ssl versions, but I tried switching to SSLv3 and the config file and it had no effect.
Does any one have some tips that would help me additionally debug this problem or get an idea of where the failure is?
// Relevant config file lines on master replica host=<<hostname>>:636 binddn="cn=replicator,dc=hmc,dc=edu" tls=yes bindmethod=simple credentials=<<password>>
If you're using port 636 then you're most likely using ldaps. You need to use an ldaps:// uri here, not the host/tls options.
When I do this I get
Error: parse_replica_line: unknown keyword "uri=ldaps://<<hostname>>:636" Error: Malformed "replica" line in slapd config file, line 120 Warning: failed to add replica "(null):0 - ignoring replica
I think it is because the replication master is using an older version of ldap (2.1.25). Could the version difference prove to be an insurmountable problem?
~Andrew
// Relevant config lines on slave TLSCipherSuite HIGH:MEDIUM:+SSLv3
updatedn "cn=replicator,dc=hmc,dc=edu" updateref ldaps://<<ref>>
Thanks, Andrew
.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
When I do this I get
Error: parse_replica_line: unknown keyword "uri=ldaps://<<hostname>>:636" Error: Malformed "replica" line in slapd config file, line 120 Warning: failed to add replica "(null):0 - ignoring replica
I think it is because the replication master is using an older version of ldap (2.1.25). Could the version difference prove to be an insurmountable problem?
~Andrew
You can try "slaptest -d 64" to see what's going on with the config parsing, but you're probably going to get hurt running 2.1.25. slapcat/slapadd to a newer version and you'll be much better off.
Aaron Richton wrote:
When I do this I get
Error: parse_replica_line: unknown keyword "uri=ldaps://<<hostname>>:636" Error: Malformed "replica" line in slapd config file, line 120 Warning: failed to add replica "(null):0 - ignoring replica
I think it is because the replication master is using an older version of ldap (2.1.25). Could the version difference prove to be an insurmountable problem?
2.1.x definitely didn't support the uri= syntax. I don't remember what it did support for ldaps://.
~Andrew
You can try "slaptest -d 64" to see what's going on with the config parsing, but you're probably going to get hurt running 2.1.25. slapcat/slapadd to a newer version and you'll be much better off.
That would definitely be best.
I tested the same slurpd conf with an identical daemon process on the same server and it works fine. Problem solved.
Thanks for the help guys, Andrew
On Wed, Nov 15, 2006 at 08:00:41PM -0800, Howard Chu wrote:
Aaron Richton wrote:
When I do this I get
Error: parse_replica_line: unknown keyword "uri=ldaps://<<hostname>>:636" Error: Malformed "replica" line in slapd config file, line 120 Warning: failed to add replica "(null):0 - ignoring replica
I think it is because the replication master is using an older version of ldap (2.1.25). Could the version difference prove to be an insurmountable problem?
2.1.x definitely didn't support the uri= syntax. I don't remember what it did support for ldaps://.
~Andrew
You can try "slaptest -d 64" to see what's going on with the config parsing, but you're probably going to get hurt running 2.1.25. slapcat/slapadd to a newer version and you'll be much better off.
That would definitely be best.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
openldap-software@openldap.org
-
Aaron Richton -
Andrew Higginbotham -
Howard Chu