need serious help on replication over ssl - getting do_syncrep1: rid 001 ldap_sasl_bind_s failed (-1)
Hi, I would really be grateful if a nice guy would appear and save me with this one. Simple bind replication over ldaps port does not work. I don't have a clue. There are very few guides on setting up replication over ldaps on the web or on prints. I am following this one as I am using RH: Technical blurb about Oracle Engineered Systems: Configuring OpenLDAP for High Availability. (Master/Slave or Provider/Consumer configuration) [Part 3 of 4]
Some of the suspicious bit are: 1. Concatenating the master CA cert and the original slave CA cert to make a new CA cert for use with the slave. But the server cert and key in the slave was signed with the original slave CA without the concatenation.2. the following line:tls_cert=
in the slave replication directive seems to be suggesting the location of the master server certificate in the guide but there is no clear mention. I put the location of the master server certificate in this line. A billion thanks in advance. First the master slapd.conf: include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw sameforalldirectory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read loglevel stats args trace sync
************************************************************************************************************************Next, the slapd.conf of the slave: ### configuration for IER### writeen by T.Tanaka include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw sameforalldirectory /var/lib/ldap TLSCACertificateFile /etc/pki/CA/cacert.pemTLSCertificateFile /etc/pki/tls/misc/newcert.pemTLSCertificateKeyFile /etc/pki/tls/misc/clearkey.pem
# Replicas of this database
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by anonymous auth by * none
access to * by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by * read
loglevel stats args trace sync syncrepl rid=001 provider=ldaps://mail.ier.hit-u.ac.jp:636 type=refreshOnly interval=00:00:05:00 bindmethod=simple searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=root,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=sameforall tls_cert=/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt mirrormode onupdateref ldaps://mail.ier.hit-u.ac.jp
**************************************************************************************************************************
wailok tam wailoktam@yahoo.com schrieb am 01.12.2014 um 10:04 in Nachricht
674598213.1863113.1417424697693.JavaMail.yahoo@jws10083.mail.ne1.yahoo.com:
Hi, I would really be grateful if a nice guy would appear and save me with this one. Simple bind replication over ldaps port does not work. I don't have a clue. There are very few guides on setting up replication over ldaps on the web or on prints. I am following this one as I am using RH:
Verifying your SSL certificates: Try this (preferrably as the same user that slapd uses): # openssl verify -CApath /etc/ssl/certs /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
If (you are using openssl and) it works, your certificate should be OK; if not fix it and repeat the test.
[...]
I'd leave out the "tls_cert=" to switch to automatic cert selection; if that soesn't work, something is wrong with your setup; if it works, you can try to use a fixed certificate.
Then you could try a manual remote TLS (not SSL) connect (e.g. ldapsearch) to your master; if it doesn't work, fix the config and repeat the test. Try to retrieve the whole database; if it works, you are quite close, I guess.
Turn on logging for "config" and "sync" at least. Try some modification on the master and watch what happens...
Regards, Ulrich
Hi, thanks for your help. I am getting this on the master, no matter I put /usr/share/ssl/certs or /usr/share/ssl/certs/nii-odca2.crt for the first argument after -CApath /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt: /C=JP/L=Academe2/O=Hitotsubashi University/OU=Institute of Economic Research/CN=mail.ier.hit-u.ac.jperror 20 at 0 depth lookup:unable to get local issuer certificateunable to load certificate12574:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE for slave, I am also getting: /etc/pki/tls/misc/newcert.pem: /C=JP/ST=Tokyo/L=Kunitachi/O=Hitotsubashi Univ./OU=IER/CN=blade-s00.ier.hit-u.ac.jperror 20 at 0 depth lookup:unable to get local issuer certificateunable to load certificate25730:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE no matter I put the /etc/pki/CA/ or /etc/pki/CA/cacert.pem for the first argument after -CApath Any clue? Thanks again in advance. I did not do update-ca-certificates, as mentioned in some books, on both the master and the slave. First, on the master, I need to use existing cert . So I suppose I dont need to update it. Second, I dont know where this command is located on RH...Is that relevant?
From: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de To: openldap-technical@openldap.org; wailoktam@yahoo.com Sent: Monday, December 1, 2014 7:08 PM Subject: Antw: need serious help on replication over ssl - getting do_syncrep1: rid 001 ldap_sasl_bind_s failed (-1)
wailok tam wailoktam@yahoo.com schrieb am 01.12.2014 um 10:04 in Nachricht
674598213.1863113.1417424697693.JavaMail.yahoo@jws10083.mail.ne1.yahoo.com:
Hi, I would really be grateful if a nice guy would appear and save me with this one. Simple bind replication over ldaps port does not work. I don't have a clue. There are very few guides on setting up replication over ldaps on the web or on prints. I am following this one as I am using RH:
Verifying your SSL certificates: Try this (preferrably as the same user that slapd uses): # openssl verify -CApath /etc/ssl/certs /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
If (you are using openssl and) it works, your certificate should be OK; if not fix it and repeat the test.
[...]
I'd leave out the "tls_cert=" to switch to automatic cert selection; if that soesn't work, something is wrong with your setup; if it works, you can try to use a fixed certificate.
Then you could try a manual remote TLS (not SSL) connect (e.g. ldapsearch) to your master; if it doesn't work, fix the config and repeat the test. Try to retrieve the whole database; if it works, you are quite close, I guess.
Turn on logging for "config" and "sync" at least. Try some modification on the master and watch what happens...
Regards, Ulrich
wailok tam wailoktam@yahoo.com schrieb am 01.12.2014 um 11:40 in Nachricht
1171333883.1885274.1417430400586.JavaMail.yahoo@jws100208.mail.ne1.yahoo.com:
Hi, thanks for your help. I am getting this on the master, no matter I put /usr/share/ssl/certs or /usr/share/ssl/certs/nii-odca2.crt for the first argument after -CApath /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt: /C=JP/L=Academe2/O=Hitotsubashi University/OU=Institute of Economic Research/CN=mail.ier.hit-u.ac.jperror 20 at 0 depth lookup:unable to get local issuer certificateunable to load certificate12574:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
So you have a problem with your issuer certificate: Did you use c_rehash after adding a CA certificate to /etc/ssl/certs? If so, dump your certificates (CA and server) like this openssl x509 -noout -text -in <your_certificate> and examine "Issuer" and "Subject" at least.
Regards, Ulrich
for slave, I am also getting: /etc/pki/tls/misc/newcert.pem: /C=JP/ST=Tokyo/L=Kunitachi/O=Hitotsubashi Univ./OU=IER/CN=blade-s00.ier.hit-u.ac.jperror 20 at 0 depth lookup:unable to get local issuer certificateunable to load certificate25730:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE no matter I put the /etc/pki/CA/ or /etc/pki/CA/cacert.pem for the first argument after -CApath Any clue? Thanks again in advance. I did not do update-ca-certificates, as mentioned in some books, on both the master and the slave. First, on the master, I need to use existing cert . So I suppose I dont need to update it. Second, I dont know where this command is located on RH...Is that relevant?
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>To: openldap-technical@openldap.org; wailoktam@yahoo.com Sent: Monday, December 1, 2014 7:08 PM Subject: Antw: need serious help on replication over ssl - getting do_syncrep1: rid 001 ldap_sasl_bind_s failed (-1)
wailok tam wailoktam@yahoo.com schrieb am 01.12.2014 um 10:04 in Nachricht
674598213.1863113.1417424697693.JavaMail.yahoo@jws10083.mail.ne1.yahoo.com:
Hi, I would really be grateful if a nice guy would appear and save me with this one. Simple bind replication over ldaps port does not work. I don't
have
a clue. There are very few guides on setting up replication over ldaps on the web or on prints. I am following this one as I am using RH:
Verifying your SSL certificates: Try this (preferrably as the same user that slapd uses): # openssl verify -CApath /etc/ssl/certs /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
If (you are using openssl and) it works, your certificate should be OK; if not fix it and repeat the test.
[...]
I'd leave out the "tls_cert=" to switch to automatic cert selection; if that soesn't work, something is wrong with your setup; if it works, you can try to use a fixed certificate.
Then you could try a manual remote TLS (not SSL) connect (e.g. ldapsearch) to your master; if it doesn't work, fix the config and repeat the test. Try to retrieve the whole database; if it works, you are quite close, I guess.
Turn on logging for "config" and "sync" at least. Try some modification on the master and watch what happens...
Regards, Ulrich
openldap-technical@openldap.org
-
Ulrich Windl -
wailok tam