Hi everyone!
I've set up two test ldap servers (2.4.10) with multimaster replication. With simple binds it is working well. I've set up a client certificate (everything CA signed, no self-signing ;-) ) to use with SASL/EXTERNAL authentication. Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config backend, set up an .ldaprc file and with: su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh (I'm running slapd as openldap user and group) I get: SASL/EXTERNAL authentication started SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU SASL SSF: 0 dn:cn=config just like expected (ldapsearch and friends are also working on both sides and cross). Just to be sure I've exported the LDAPCONF variable in the slapd startup script. But syncrepl doesn't work! On the logs (olcLogLevel=-1): slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) connection_read(20): unable to get TLS client DN, error=49 id=23
Many thanks!
Geza
----- "Gémes Géza" geza@kzsdabas.hu wrote:
Hi everyone!
I've set up two test ldap servers (2.4.10) with multimaster replication. With simple binds it is working well. I've set up a client certificate (everything CA signed, no self-signing ;-) ) to use with SASL/EXTERNAL authentication. Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config backend, set up an .ldaprc file and with: su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh (I'm running slapd as openldap user and group) I get: SASL/EXTERNAL authentication started SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU SASL SSF: 0 dn:cn=config just like expected (ldapsearch and friends are also working on both sides and cross). Just to be sure I've exported the LDAPCONF variable in the slapd startup script. But syncrepl doesn't work! On the logs (olcLogLevel=-1): slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) connection_read(20): unable to get TLS client DN, error=49 id=23
Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
Gavin Henry írta:
----- "Gémes Géza" geza@kzsdabas.hu wrote:
Hi everyone!
I've set up two test ldap servers (2.4.10) with multimaster replication. With simple binds it is working well. I've set up a client certificate (everything CA signed, no self-signing ;-) ) to use with SASL/EXTERNAL authentication. Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config backend, set up an .ldaprc file and with: su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh (I'm running slapd as openldap user and group) I get: SASL/EXTERNAL authentication started SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU SASL SSF: 0 dn:cn=config just like expected (ldapsearch and friends are also working on both sides and cross). Just to be sure I've exported the LDAPCONF variable in the slapd startup script. But syncrepl doesn't work! On the logs (olcLogLevel=-1): slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) connection_read(20): unable to get TLS client DN, error=49 id=23
Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server TLS_CACERT /etc/ssl/certs/ca.crt TLS_CERT /etc/ldap/syncrepl.crt TLS_KEY /etc/ldap/syncrepl.key TLS_REQCERT demand SASL_MECH external SASL_AUTHCID cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:
slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
Thanks for any idea.
Geza
[offlist]
On Mon, 18 Aug 2008, Gémes Géza wrote: ...
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server
...
Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:
slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
You changed them from "ldaps://" to "ldap://" in the ldap.conf, but the log still shows it using "ldaps://" ? So you're tracking down where it actually gets the URI list from, right?
Philip Guenther
Philip Guenther írta:
[offlist]
On Mon, 18 Aug 2008, Gémes Géza wrote: ...
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server
...
Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:
slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
You changed them from "ldaps://" to "ldap://" in the ldap.conf, but the log still shows it using "ldaps://" ? So you're tracking down where it actually gets the URI list from, right?
Philip Guenther
Sorry changed both .ldaprc 's URI and syncrepl 's provider to ldap://...... without any change in good. In the logs:
slap_client_connect: URI=ldap://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
Thanks
Geza Gemes
Gémes Géza wrote:
Gavin Henry írta:
----- "Gémes Géza"geza@kzsdabas.hu wrote:
dn:cn=config just like expected (ldapsearch and friends are also working on both sides and cross). Just to be sure I've exported the LDAPCONF variable in the slapd startup script. But syncrepl doesn't work!
slapd no longer reads any external LDAP configuration files. The TLS options must be added to the syncrepl config statement. Read the slapd.conf(5) manpage.
On the logs (olcLogLevel=-1): slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) connection_read(20): unable to get TLS client DN, error=49 id=23
Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server TLS_CACERT /etc/ssl/certs/ca.crt TLS_CERT /etc/ldap/syncrepl.crt TLS_KEY /etc/ldap/syncrepl.key TLS_REQCERT demand SASL_MECH external SASL_AUTHCID cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:
slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
Thanks for any idea.
Geza
Howard Chu írta:
Gémes Géza wrote:
Gavin Henry írta:
----- "Gémes Géza"geza@kzsdabas.hu wrote:
dn:cn=config just like expected (ldapsearch and friends are also working on both sides and cross). Just to be sure I've exported the LDAPCONF variable in the slapd startup script. But syncrepl doesn't work!
slapd no longer reads any external LDAP configuration files. The TLS options must be added to the syncrepl config statement. Read the slapd.conf(5) manpage.
Many thanks, now it works like charm!
On the logs (olcLogLevel=-1): slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) connection_read(20): unable to get TLS client DN, error=49 id=23
Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work.
However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server TLS_CACERT /etc/ssl/certs/ca.crt TLS_CERT /etc/ldap/syncrepl.crt TLS_KEY /etc/ldap/syncrepl.key TLS_REQCERT demand SASL_MECH external SASL_AUTHCID cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs:
slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6)
Thanks for any idea.
Geza
openldap-software@openldap.org