Re: syncrepl tls_cert file not red ?

On 10/11/2011 04:49 AM, Olivier wrote:

mmhhh..

In summary :

I manage to set up servers so that usual clients can use TLS to connect to the server (ldapsearch with -ZZ works)

I manage to set up ONE ldap server to syncrepl on another one using saslmech = external and verifying the provider certificate.

I CAN'T manage to set up two ldap server to syncrepl on each others (N-WAY) using saslmech = external and I get very strange outputs depending when the syncronisation happens (sounds different when both queries and responses overlap or not)

Not sure this new one I got could help :

@(#) $OpenLDAP: slapd 2.4.23 (Sep 20 2011 08:28:48) $ mockbuild@x86-006.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-1) do_syncrepl: rid=211 rc -1 retrying slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-1) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-1) do_syncrepl: rid=211 rc -1 retrying TLS: could not read certificate file AW��I��AVAUATUH��SH��8
- error -5950:File not found. TLS: AW��I��AVAUATUH��SH��8
is not a valid CA certificate file - error -5950:File not found. TLS: could not get info about the CA certificate directory H�l$�H��H�$�H��XH��H��1���c��H��H��1�� - error -5950:File not found. TLS: did not find any valid CA certificates in H�l$�H��H�$�H��XH��H��1���c��H��H��1�� or AW��I��AVAUATUH��SH��8
TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5950:File not found TLS: can't create ssl handle. slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available TLS: can't create ssl handle. slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1

When I don't change anything on the config on that one that have output this, but changing only the config to the other one to only be a provider (or vice versa), then I get no error ??

On Tue, Oct 11, 2011 at 11:10 AM, Olivierldap@guillard.nom.fr wrote:

...

I now have a new issue with TLS : certificate files are even not red and presented to the server anymore.

I have this on server ldap2 :

syncrepl rid=211 provider=ldap://ldap1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:00:05 retry="10 +" bindmethod=sasl saslmech=external authcid="cn=replicator,ou=system,dc=example,dc=fr" authzid="dn:cn=replicator,ou=system,dc=example,dc=fr" tls_cacert=/etc/openldap/cacerts/CA.crt tls_cert=/etc/openldap/cacerts/syncrepl.crt tls_key=/etc/openldap/cacerts/syncrepl.key tls_reqcert=demand

I get this as error : "ldap_sasl_interactive_bind_s failed (-6)"

and if I launch slapd through strace I see that /etc/openldap/cacerts/syncrepl.crt is never opened (then never presented to the server).

Note that on the server I have configured :

TLSVerifyClient demand

To be sure that the server ask for the certificate.

What have I forgotten ? Please help me to diag where is the problem.

Not sure. Is this https://bugzilla.redhat.com/show_bug.cgi?id=707599 ?

Might also be a symptom of https://bugzilla.redhat.com/show_bug.cgi?id=709407 and https://bugzilla.redhat.com/show_bug.cgi?id=731168 which are not yet due to be fixed in RHEL 6.1.z but are due to be fixed in RHEL 6.2.0

Any chance you could attempt to reproduce with 6.2?

...

---

Olivier

P.S :

I can't be absolutely affirmative since I'm under testing, but I think that worked before, and I start to beleive that update from openldap-servers-2.4.23-15.el6_1.1.x86_64 to openldap-servers-2.4.23-15.el6_1.3.x86_64

on redhat 6 produces problems.