Hi,
after upgrading from openldap-2.4.44-r1 to openldap-2.4.45 on my Gentoo machine multi-master-replication does not work anymore.
Has anything changed in configuration options for syncrepl or are certificates treated differently now?
In the logs I found the following message:
Jun 22 10:33:13 ids00000 slapd[30734]: [ID 000001 (local4.debug)] slap_client_connect: URI=ldaps://ldap.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
Running slapd in foreground with -d -1 revealed this message:
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain). 594b8120 slap_client_connect: URI=ldaps://ldap.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
My syncrepl configuriation:
syncrepl rid=000 provider=ldaps://ldap.dannatu.ch:636 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=dannatu,dc=ch" attrs="*,+" scope=sub bindmethod=simple binddn="cn=Manager,dc=dannatu,dc=ch" credentials=**************
I have verified the certificate and my selfsigned ca-certificate with openssl, and both are ok:
# openssl verify /etc/ssl/certs/dannatuCA-cacert.pem /etc/ssl/certs/dannatuCA-cacert.pem: OK
# openssl verify /etc/ssl/openldap/dannatu.ch.pem /etc/ssl/openldap/dannatu.ch.pem: OK
Also verification with openssl s_client seems ok:
# openssl s_client -connect ldap.dannatu.ch:636 -tls1_2 CONNECTED(00000003) depth=1 C = CH, ST = Solothurn, L = Solothurn, O = Dannatu AG, OU = IT, CN = Dannatu AG CA, emailAddress = admin@dannatu.ch verify return:1 depth=0 C = CH, ST = Solothurn, L = Solothurn, O = Dannatu AG, OU = IT, CN = dannatu.ch, emailAddress = admin@dannatu.ch verify return:1 --- Certificate chain 0 s:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddress=admin@dannatu.ch i:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch 1 s:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch i:/C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch ---
After downgrading to openldap-2.4.44-r1 everything worked fine again. Seems certificate handling has changed. Any hints?
Juergen Sprenger