Re: n-way multimaster replication with ssl and tls

Yes

I am able to access using JXplorer using tls and 636.

I am using diff self singed certificate for each server.

I have done same configuration on 3 servers.

i am having /etc/openldap/ldap.conf and /apps/openldap/etc/openldap/ldap.conf file

I have compiled ldap to /apps/openldap directory.

I am getting same output running on each server against the other 2 servers.

[root@sjprodam01 ~]# openssl s_client -connect mmprodam01.abc.com:636 -showcerts CONNECTED(00000003) depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify return:1 --- Certificate chain 0 s:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com i:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com -----BEGIN CERTIFICATE----- MIICoDCCAgmgAwIBAgIJAJ5P5x76CGAUMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV BAYTAklOMQswCQYDVQQIDAJIUjEMMAoGA1UEBwwDR0dOMRAwDgYDVQQKDAdTQVBJ RU5UMQ0wCwYDVQQLDARJU1NUMR4wHAYDVQQDDBVtbXByb2RhbTAxLm5hc2Nhci5j b20wHhcNMTIxMTE2MDMyMDAxWhcNMTMxMTE2MDMyMDAxWjBpMQswCQYDVQQGEwJJ TjELMAkGA1UECAwCSFIxDDAKBgNVBAcMA0dHTjEQMA4GA1UECgwHU0FQSUVOVDEN MAsGA1UECwwESVNTVDEeMBwGA1UEAwwVbW1wcm9kYW0wMS5uYXNjYXIuY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDETDjOiWY1hkHcZ82BRtDabD7mPN8 A9OwLAule0NC6Y76mI8fHDs+vip9P6ASyVaSkxT8g+dOLGDBBy7winj52wcnP9aW u38kE5Sm+suSFLlJ3A0uIfgmLr6dglyGsFMiYJCkeHKxBpF5zeJHTnKpqWZ+emwj XwO0Dv22AYvATQIDAQABo1AwTjAdBgNVHQ4EFgQUhhRZ1mSzr1zccS4aHSKcoy8o F5owHwYDVR0jBBgwFoAUhhRZ1mSzr1zccS4aHSKcoy8oF5owDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQUFAAOBgQCr2gh0U000EttpCQeSjAoUjjkHB3zWMpGZ64Pr SynPEy7uTFT4N5SRx11dZAHIOslQLhr8MiobqX+9EGvQo9ua3TQKd/jT+tgX32Nc iZZyerd6IcT4SZTvH67UZwTxtlqu397Ti8cI8fcqziHoY76MBHCVcG6pvpW4e5H+ LvitdA== -----END CERTIFICATE----- --- Server certificate subject=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com issuer=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com --- No client certificate CA names sent --- SSL handshake has read 1008 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 2D97EE613D427036C9A1B1BB5E2371283763DDA8A761D9BED3385D4793E6E061 Session-ID-ctx: Master-Key: 161A39EC4E5B5C0E0F211A014E6CE4B643F77C8C77B9175BFEF399A08319A56C9C199AF417E09EA9508579368E31F7AA Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 82 43 eb e1 46 c2 bd 6f-7a 8b 44 20 cc 8a d5 c4 .C..F..oz.D .... 0010 - 9f 34 ee 02 36 1b 24 32-05 7e e4 3c a7 de 01 e6 .4..6.$2.~.<.... 0020 - c0 b9 39 8b 50 b6 b8 b2-21 3a 81 02 16 3d a1 b1 ..9.P...!:...=.. 0030 - b6 ac 98 fe 34 f5 ba e2-f1 e2 30 c8 ed ad f8 8b ....4.....0..... 0040 - 00 5f bf f8 ed 75 90 65-7e c1 e6 b5 b1 e7 a3 ba ._...u.e~....... 0050 - 75 67 6e a3 d2 ab f5 2b-20 77 31 90 cd 3f b0 38 ugn....+ w1..?.8 0060 - 1f 60 da e9 8e dc 7c e2-97 56 95 55 61 c9 51 da .`....|..V.Ua.Q. 0070 - c7 4f 65 13 48 64 8f 67-1d d1 75 b2 91 b2 7c b5 .Oe.Hd.g..u...|. 0080 - 7e 5f 6b 7b 61 e3 73 63-2b d7 91 c0 91 61 e7 27 ~_k{a.sc +....a.' 0090 - 16 4b c5 e9 e0 ea 03 7a-6c 77 51 77 5c b6 f0 93 .K.....zlwQw... 00a0 - ab 82 f9 8c 23 06 61 88-86 43 5a 20 1a 11 c5 e7 ....#.a..CZ ....

Compression: 1 (zlib compression) Start Time: 1353129151 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- ^C

On Sat, Nov 17, 2012 at 11:22 AM, houston houston.r.hopkins@gmail.comwrote:

just curious, did you get ldap running over ssl on rhel 6.3? if so did you have to compile your ownnor did you use the red hat version? i cant seem to get ldapsearch to work over ldaps when using red hats 2.4 version

thx, Houston

anil beniwal beni.anil@gmail.com wrote: Hi List

Can any body guide me through the steps required to setup n-way multimaster(3 or more servers at diff countries) replication with openldap 2.4.2

1. ssl based
2. tls based

I am having normal replication running b/w 3 servers. Now i want to setup secure replication.

i am using self signed certificate on RHEL 6.3. How can i validate whether replication is working fine for ssl or tls. How to enable replication logs.

Anything else i should check out.

I have already gone through a lot of postings on google.

--

Thanks&Regards Anil Beniwal