Hi,
As an exercise I tried setting up a 2 node N-Way Multi-Master with TLS
and TLS replication based on section 18.3.3 of the Admin Gguide. I
bumped into a problem that I haven't been able to fix. The error is:
TLS: hostname (ldap02.local) does not match common name in certificate
(ldap01.local).
51f87d48 slap_client_connect: URI=ldap://ldap02.local Error,
ldap_start_tls failed (-11
I have tested the certificates manually and I can't see anything wrong
with them. I use FQDNs everywhere. Also it seems odd that, based on
strace slapd output, ldap01 needs acess to the public and private
certificate of ldap02 and vice versa.
OpenLDAP version 2.4.35 + fixes recommended by Quanah on the list.
Ntp is running, iptables & SELinux are off
The config below is added with:
slapadd -v -F /etc/openldap-2.4/slapd.d -l ./test.ldif -n 0
Anyone have a hint what I am doing wrong?
-------------------------------------------------------------------
Config ldap01:
-------------------------------------------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local
# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleload: syncprov.la
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=config" credentials=password
starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
binddn="cn=config" credentials=1234 starttls=critical
tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by * none
# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
by dn.exact="cn=Manager,dc=local" write
by * none
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=local
olcRootDN: cn=Manager,dc=local
olcRootPW: {CRYPT}$6$<somepass>
olcDbDirectory: /var/lib/ldap-2.4/local
olcDbIndex: cn pres,eq,sub
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: memberUid pres,eq
olcDbIndex: objectClass pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: uid pres,eq
olcDbIndex: uidNumber pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxReaders: 0
olcDbMode: 0600
olcDbSearchStack: 16
# size in bytes - 1GB = 1073741824 bytes
olcDbMaxSize: 5368709120
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbNoSync: FALSE
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcAccess: to attrs=userPassword
by dn.exact="cn=Manager,dc=local" write
by self write
by anonymous auth
by * none
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by self write
by * read
olcLimits: dn.exact="cn=Manager,dc=local" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: rid=3 provider=ldap://ldap01.local
searchbase="dc=local" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=Manager,dc=local"
credentials=password
starttls=critical
tls_cert=/etc/pki/tls/certs/Manager.crt
tls_key=/etc/pki/tls/private/Manager.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=4 provider=ldap://ldap02.local
searchbase="dc=local" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=Manager,dc=local"
credentials=password
starttls=critical
tls_cert=/etc/pki/tls/certs/Manager.crt
tls_key=/etc/pki/tls/private/Manager.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# add the syncprov overlay to the main mdb database
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
-------------------------------------------------------------------
Config ldap02:
-------------------------------------------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!RC4:@STRENGTH
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local
# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleLoad: memberof.la
olcModuleLoad: refint.la
olcModuleLoad: auditlog.la
olcModuleLoad: ppolicy.la
olcModuleload: syncprov.la
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=config" credentials=password
starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
binddn="cn=config" credentials=1234 starttls=critical
tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by * none
# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
by dn.exact="cn=Manager,dc=local" write
by * none
# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Thank you for any pointers.
Regards,
Patrick