Hi,
As an exercise I tried setting up a 2 node N-Way Multi-Master with TLS and TLS replication based on section 18.3.3 of the Admin Gguide. I bumped into a problem that I haven't been able to fix. The error is:
TLS: hostname (ldap02.local) does not match common name in certificate (ldap01.local). 51f87d48 slap_client_connect: URI=ldap://ldap02.local Error, ldap_start_tls failed (-11
I have tested the certificates manually and I can't see anything wrong with them. I use FQDNs everywhere. Also it seems odd that, based on strace slapd output, ldap01 needs acess to the public and private certificate of ldap02 and vice versa.
OpenLDAP version 2.4.35 + fixes recommended by Quanah on the list. Ntp is running, iptables & SELinux are off
The config below is added with: slapadd -v -F /etc/openldap-2.4/slapd.d -l ./test.ldif -n 0
Anyone have a hint what I am doing wrong?
------------------------------------------------------------------- Config ldap01: -------------------------------------------------------------------
# global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid olcLogFile: /var/log/openldap-2.4/slapd-2.4.log olcLogLevel: 127 16384 olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt olcTLSVerifyClient: demand olcLocalSSF: 256 olcSecurity: ssf=256 olcPasswordCryptSaltFormat: $6$%s olcPasswordHash: {CRYPT} olcServerID: 1 ldap://ldap01.local olcServerID: 2 ldap://ldap02.local
# load modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/lib64/openldap-2.4 olcModuleLoad: back_mdb.la olcModuleLoad: back_monitor.la olcModuleload: syncprov.la
# schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
# include the schemas include: file:///etc/openldap-2.4/schema/core.ldif include: file:///etc/openldap-2.4/schema/corba.ldif include: file:///etc/openldap-2.4/schema/cosine.ldif include: file:///etc/openldap-2.4/schema/duaconf.ldif include: file:///etc/openldap-2.4/schema/dyngroup.ldif include: file:///etc/openldap-2.4/schema/inetorgperson.ldif include: file:///etc/openldap-2.4/schema/java.ldif include: file:///etc/openldap-2.4/schema/misc.ldif include: file:///etc/openldap-2.4/schema/nis.ldif include: file:///etc/openldap-2.4/schema/openldap.ldif include: file:///etc/openldap-2.4/schema/ppolicy.ldif include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend
# setup cn=config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootPW: {CRYPT}$6$<somepass> olcSyncrepl: rid=1 provider=ldap://ldap01.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=2 provider=ldap://ldap02.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=1234 starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE olcAccess: to * by dn.exact="cn=Manager,dc=local" write by * none
# setup monitoring dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: monitor olcAccess: to dn.subtree=cn=Monitor by dn.exact="cn=Manager,dc=local" write by * none
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcSuffix: dc=local olcRootDN: cn=Manager,dc=local olcRootPW: {CRYPT}$6$<somepass> olcDbDirectory: /var/lib/ldap-2.4/local olcDbIndex: cn pres,eq,sub olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: memberUid pres,eq olcDbIndex: objectClass pres,eq olcDbIndex: ou pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: uid pres,eq olcDbIndex: uidNumber pres,eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbMaxReaders: 0 olcDbMode: 0600 olcDbSearchStack: 16 # size in bytes - 1GB = 1073741824 bytes olcDbMaxSize: 5368709120 olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbNoSync: FALSE olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbEnvFlags: writemap olcDbEnvFlags: nometasync olcAccess: to attrs=userPassword by dn.exact="cn=Manager,dc=local" write by self write by anonymous auth by * none olcAccess: to * by dn.exact="cn=Manager,dc=local" write by self write by * read olcLimits: dn.exact="cn=Manager,dc=local" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcSyncrepl: rid=3 provider=ldap://ldap01.local searchbase="dc=local" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=Manager,dc=local" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/Manager.crt tls_key=/etc/pki/tls/private/Manager.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=4 provider=ldap://ldap02.local searchbase="dc=local" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=Manager,dc=local" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/Manager.crt tls_key=/etc/pki/tls/private/Manager.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE
# add the syncprov overlay to the cn=config database dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
# add the syncprov overlay to the main mdb database dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
------------------------------------------------------------------- Config ldap02: -------------------------------------------------------------------
# global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid olcLogFile: /var/log/openldap-2.4/slapd-2.4.log olcLogLevel: 127 16384 olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!RC4:@STRENGTH olcTLSVerifyClient: demand olcLocalSSF: 256 olcSecurity: ssf=256 olcPasswordCryptSaltFormat: $6$%s olcPasswordHash: {CRYPT} olcServerID: 1 ldap://ldap01.local olcServerID: 2 ldap://ldap02.local
# load modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/lib64/openldap-2.4 olcModuleLoad: back_mdb.la olcModuleLoad: back_monitor.la olcModuleLoad: memberof.la olcModuleLoad: refint.la olcModuleLoad: auditlog.la olcModuleLoad: ppolicy.la olcModuleload: syncprov.la
# schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
# include the schemas include: file:///etc/openldap-2.4/schema/core.ldif include: file:///etc/openldap-2.4/schema/corba.ldif include: file:///etc/openldap-2.4/schema/cosine.ldif include: file:///etc/openldap-2.4/schema/duaconf.ldif include: file:///etc/openldap-2.4/schema/dyngroup.ldif include: file:///etc/openldap-2.4/schema/inetorgperson.ldif include: file:///etc/openldap-2.4/schema/java.ldif include: file:///etc/openldap-2.4/schema/misc.ldif include: file:///etc/openldap-2.4/schema/nis.ldif include: file:///etc/openldap-2.4/schema/openldap.ldif include: file:///etc/openldap-2.4/schema/ppolicy.ldif include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend
# setup cn=config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootPW: {CRYPT}$6$<somepass> olcSyncrepl: rid=1 provider=ldap://ldap01.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=2 provider=ldap://ldap02.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=1234 starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE olcAccess: to * by dn.exact="cn=Manager,dc=local" write by * none
# setup monitoring dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: monitor olcAccess: to dn.subtree=cn=Monitor by dn.exact="cn=Manager,dc=local" write by * none
# add the syncprov overlay to the cn=config database dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
Thank you for any pointers.
Regards, Patrick