Hello,
I'm trying to upgrade an openLdap server from Fedora Core 13
(openldap-servers-2.4.21-11) to Redhat Enterprise 6
(openldap-servers-2.4.23-15.el6.x86_64).
In this new setup, my local bdb backend works: I can query the
LDAP server on this backend using an
"ldaps://" connection (it is
using a server certificate).
However, the Syncrepl replication process fails to establish the
"ldaps://" session to my
syncrepl-providers.
Indeed, the TLS layer complains that my
_server's
certificate_ isn't a
valid
_client
certificate_ (with error
8101 - SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want
client-side authentication!
In the past syncrepl didn't try to use the server certificate as a
client certificate, and I haven't seen any reference to this in
the documentation.
I first thought it could have been related to ITS#6791 but I don't
think so anymore because it only affects Syncrepl.
Do you think I've missed something in the setup?
Thanks in advance,
Thibault
Here is an excerpt of slapd startup log in debug-mode:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate
[CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not
valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for
certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication
using PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error
-8101:Unknown code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=
ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s
failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------
Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
provider=
ldaps://otherldap.mydom.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=subranch,dc=mydom,dc=fr"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
credentials="MyVerySecretPassword"
---------------------------------------------------------
My setup related to TLS:
---------------------------------------------------------
TLSCipherSuite HIGH
TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
And eventually my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------