Re: syncrepl tls_cert file not red ?

mmhhh..

In summary :

I manage to set up servers so that usual clients can use TLS to connect to the server (ldapsearch with -ZZ works)

I manage to set up ONE ldap server to syncrepl on another one using saslmech = external and verifying the provider certificate.

I CAN'T manage to set up two ldap server to syncrepl on each others (N-WAY) using saslmech = external and I get very strange outputs depending when the syncronisation happens (sounds different when both queries and responses overlap or not)

Not sure this new one I got could help :

@(#) $OpenLDAP: slapd 2.4.23 (Sep 20 2011 08:28:48) $ mockbuild@x86-006.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-1) do_syncrepl: rid=211 rc -1 retrying slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-1) do_syncrepl: rid=211 rc -1 retrying TLS: could not read certificate file AW��I��AVAUATUH��SH��8
- error -5950:File not found. TLS: AW��I��AVAUATUH��SH��8
is not a valid CA certificate file - error -5950:File not found. TLS: could not get info about the CA certificate directory H�l$�H��H�$�H��XH��H��1���c��H��H��1�� - error -5950:File not found. TLS: did not find any valid CA certificates in H�l$�H��H�$�H��XH��H��1���c��H��H��1�� or AW��I��AVAUATUH��SH��8
TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5950:File not found TLS: can't create ssl handle. slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available TLS: can't create ssl handle. slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1

When I don't change anything on the config on that one that have output this, but changing only the config to the other one to only be a provider (or vice versa), then I get no error ??

On Tue, Oct 11, 2011 at 11:10 AM, Olivier ldap@guillard.nom.fr wrote:

I now have a new issue with TLS : certificate files are even not red and presented to the server anymore.

I have this on server ldap2 :

syncrepl rid=211    provider=ldap://ldap1.example.fr:389    searchbase="dc=example,dc=fr"    schemachecking=on    type=refreshOnly    interval=00:00:00:05    retry="10 +"    bindmethod=sasl    saslmech=external    authcid="cn=replicator,ou=system,dc=example,dc=fr"    authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"    tls_cacert=/etc/openldap/cacerts/CA.crt    tls_cert=/etc/openldap/cacerts/syncrepl.crt    tls_key=/etc/openldap/cacerts/syncrepl.key    tls_reqcert=demand

I get this as error : "ldap_sasl_interactive_bind_s failed (-6)"

and if I launch slapd through strace I see that /etc/openldap/cacerts/syncrepl.crt is never opened (then never presented to the server).

Note that on the server I have configured :

TLSVerifyClient demand

To be sure that the server ask for the certificate.

What have I forgotten ? Please help me to diag where is the problem.

---

Olivier

P.S :

I can't be absolutely affirmative since I'm under testing, but I think that worked before, and I start to beleive that update from    openldap-servers-2.4.23-15.el6_1.1.x86_64 to    openldap-servers-2.4.23-15.el6_1.3.x86_64

on redhat 6 produces problems.