Hello,
I have two ldap servers, my goal is to configure them in multimaster mode with an sasl authentication based on certificates. With the following configurations, that works well :
### slapd.conf for ldap1 :
syncrepl rid=121 provider=ldap://ldap2.example.fr searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:00:05 retry="10 +" bindmethod=sasl saslmech=external authcid="cn=replicator,ou=system,dc=example,dc=fr" authzid="dn:cn=replicator,ou=system,dc=example,dc=fr" tls_cert=/etc/openldap/cacerts/syncrepl.crt tls_key=/etc/openldap/cacerts/syncrepl.key tls_reqcert=demand
mirrormode on
### slapd.conf for ldap1 :
syncrepl rid=121 provider=ldap://ldap2.example.fr searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:00:05 retry="10 +" bindmethod=sasl saslmech=external authcid="cn=replicator,ou=system,dc=example,dc=fr" authzid="dn:cn=replicator,ou=system,dc=example,dc=fr" tls_cert=/etc/openldap/cacerts/syncrepl.crt tls_key=/etc/openldap/cacerts/syncrepl.key tls_reqcert=demand
mirrormode on
# of course I have provided the CA certificate in both files. TLSCACertificateFile /etc/openldap/cacerts/CA.crt
# I also configured properly acl for "replicator" # and have issued the right certificate
-> No problem, it works.
Now I also have configured certificates to be able to talk with the servers on TLS :
### slapd.conf for ldap1 : TLSCertificateFile /etc/openldap/cacerts/server1.crt TLSCertificateKeyFile /etc/openldap/cacerts/server1.key TLSCipherSuite HIGH
### slapd.conf for ldap2 : TLSCertificateFile /etc/openldap/cacerts/server2.crt TLSCertificateKeyFile /etc/openldap/cacerts/server2.key TLSCipherSuite HIGH
That also works perfectly ( ldapsearch with -ZZ responds properly )
I therefore decided to try to starttls for synchronisation.
I added in syncrepl for ldap1 :
## ldap1
syncrepl ... starttls=yes tls_cacert=/etc/openldap/cacerts/CA.crt ...
And the synchronizations worked well, TLS being started when ldap1 is client.
I then added the starttls directive on server ldap2 and removed it on server ldap1 :
## ldap2
syncrepl ... starttls=yes tls_cacert=/etc/openldap/cacerts/CA.crt ...
The synchronization also worked well, TLS being started this time when ldap2 is client.
HERE IS THE PROBLEM :
II tried to starttls in bothe syncrepl directives on both servers ldap1 and ldap2, here is what I get :
ldap1 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync ... TLS: error: accept - force handshake failure: errno 11 - moznss error -12273 TLS: can't accept: TLS error -12273:Unknown code ___P 15. TLS: error: connect - force handshake failure: errno 0 - moznss error -12272 TLS: can't connect: TLS error -12272:Unknown code ___P 16. slap_client_connect: URI=ldap://ldap2.example.fr Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap2.example.fr ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=121 rc -6 retrying
ldap2 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync ... TLS: error: connect - force handshake failure: errno 0 - moznss error -12272 TLS: can't connect: TLS error -12272:Unknown code ___P 16. slap_client_connect: URI=ldap://ldap1.eaxample.fr:389 Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldap1.example.fr:389 ldap_sasl_interactive_bind_s failed (-6) do_syncrepl: rid=211 rc -6 retrying TLS: error: accept - force handshake failure: errno 11 - moznss error -12273 TLS: can't accept: TLS error -12273:Unknown code ___P 15.
Any idea ?
--- Olivier