Hello,
* Summary:
I'm trying to set up syncrepl in my LDAP infrastructure. The logs on my consumer show that syncrepl is failing to negotiate TLS when connecting to the provider. Other LDAP commands such as ldapsearch and sssd show no problem connecting using the same TLS configuration.
At this point, I don't have a good idea of how to continue debugging this problem. Are there any more configuration items affecting TLS I should be looking at? Or any way of getting more details on the TLS nagotiation?
* The provider ("auth-00.[MYDOMAIN]"):
slapd 2.4.23 from openldap-servers-2.4.23-15.el6.x86_64 on Scientific Linux 6. TLS is configured with
[cn=config] olcTLSCACertificateFile: /etc/ssl/[MYCA].pem olcTLSCertificateFile: /etc/ssl/certs/auth-00.crt.pem # Has CN=auth-00.[MYDOMAIN] olcTLSCertificateKeyFile: /etc/ssl/private/auth-00.key.pem olcTLSVerifyClient: never
If I try: $ ldapsearch -ZZ -x -H ldap://auth-00.[MYDOMAIN]/ uid=iain it connects and cheerfully returns objects
* The provider ("auth-01.MYDOMAIN"):
Same slapd version, same package, same OS. syncrepl configuration:
olcSyncrepl: rid=001 provider=ldap://auth-00.[MYDOMAIN]:389 bindmethod=simple timeout=0 network-timeout=0 binddn="cn=syncrepl,dc=[MYDOMAIN]" credentials="[MYPASSWORD]" keepalive=0:0:0 filter="(objectClass=*)" searchbase="dc=[MYDOMAIN]" scope=sub schemachecking=off type=refreshAndPersist retry="10 3 120 5 600 +" starttls=critical tls_cacert=/etc/ssl/MYCA.pem
* The error
Consumer: Jan 28 11:53:12 auth-01 slapd[5595]: slapd starting Jan 28 11:53:12 auth-01 slapd[5595]: slap_client_connect: URI=ldap://auth-00.[MYDOMAIN]:389 Error, ldap_start_tls failed (-11) Jan 28 11:53:13 auth-01 slapd[5595]: do_syncrepl: rid=001 rc -11 retrying (2 retries left)
Provider receiving syncrepl connection: Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 ACCEPT from IP=[AUTH-01'S IP]:42669 (IP=0.0.0.0:389) Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 STARTTLS Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 RESULT oid= err=0 text= Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 closed (TLS negotiation failure)
Provider receiving ldapsearch connection: Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 ACCEPT from IP=[AUTH-01'S IP]:42765 (IP=0.0.0.0:389) Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 STARTTLS Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 RESULT oid= err=0 text= Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 TLS established tls_ssf=256 ssf=256 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=1 BIND [...]
Thanks,
Iain.
On Sat, Jan 28, 2012 at 4:38 AM, Iain Georgeson iain.georgeson@kaust.edu.sa wrote:
Hello,
- Summary:
I'm trying to set up syncrepl in my LDAP infrastructure. The logs on my consumer show that syncrepl is failing to negotiate TLS when connecting to the provider. Other LDAP commands such as ldapsearch and sssd show no problem connecting using the same TLS configuration.
At this point, I don't have a good idea of how to continue debugging this problem. Are there any more configuration items affecting TLS I should be looking at? Or any way of getting more details on the TLS nagotiation?
There were a few moznss TLS issues fixed between 2.4.23-15 and 2.4.23-20 in RHEL 6.2 (back ported from openldap upstream 2.4.24-2.4.28)
I don't know how far behind SL is compared to RHEL but if you can, try with openldap 2.4.23-20
- The provider ("auth-00.[MYDOMAIN]"):
slapd 2.4.23 from openldap-servers-2.4.23-15.el6.x86_64 on Scientific Linux 6. TLS is configured with
[cn=config] olcTLSCACertificateFile: /etc/ssl/[MYCA].pem olcTLSCertificateFile: /etc/ssl/certs/auth-00.crt.pem # Has CN=auth-00.[MYDOMAIN] olcTLSCertificateKeyFile: /etc/ssl/private/auth-00.key.pem olcTLSVerifyClient: never
If I try: $ ldapsearch -ZZ -x -H ldap://auth-00.[MYDOMAIN]/ uid=iain it connects and cheerfully returns objects
- The provider ("auth-01.MYDOMAIN"):
Same slapd version, same package, same OS. syncrepl configuration:
olcSyncrepl: rid=001 provider=ldap://auth-00.[MYDOMAIN]:389 bindmethod=simple timeout=0 network-timeout=0 binddn="cn=syncrepl,dc=[MYDOMAIN]" credentials="[MYPASSWORD]" keepalive=0:0:0 filter="(objectClass=*)" searchbase="dc=[MYDOMAIN]" scope=sub schemachecking=off type=refreshAndPersist retry="10 3 120 5 600 +" starttls=critical tls_cacert=/etc/ssl/MYCA.pem
- The error
Consumer: Jan 28 11:53:12 auth-01 slapd[5595]: slapd starting Jan 28 11:53:12 auth-01 slapd[5595]: slap_client_connect: URI=ldap://auth-00.[MYDOMAIN]:389 Error, ldap_start_tls failed (-11) Jan 28 11:53:13 auth-01 slapd[5595]: do_syncrepl: rid=001 rc -11 retrying (2 retries left)
Provider receiving syncrepl connection: Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 ACCEPT from IP=[AUTH-01'S IP]:42669 (IP=0.0.0.0:389) Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 STARTTLS Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 RESULT oid= err=0 text= Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 closed (TLS negotiation failure)
Provider receiving ldapsearch connection: Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 ACCEPT from IP=[AUTH-01'S IP]:42765 (IP=0.0.0.0:389) Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 STARTTLS Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 RESULT oid= err=0 text= Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 TLS established tls_ssf=256 ssf=256 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=1 BIND [...]
Thanks,
Iain.
-- Systems Engineer KAUST Visualisation Laboratory
On 28 January 2012 21:11, Rich Megginson richm@stanfordalumni.org wrote:
On Sat, Jan 28, 2012 at 4:38 AM, Iain Georgeson iain.georgeson@kaust.edu.sa wrote:
I'm trying to set up syncrepl in my LDAP infrastructure. The logs on my consumer show that syncrepl is failing to negotiate TLS when connecting to the provider. Other LDAP commands such as ldapsearch and sssd show no problem connecting using the same TLS configuration.
There were a few moznss TLS issues fixed between 2.4.23-15 and 2.4.23-20 in RHEL 6.2 (back ported from openldap upstream 2.4.24-2.4.28)
I don't know how far behind SL is compared to RHEL but if you can, try with openldap 2.4.23-20
Many thanks. I bumped slapd on the consumer to 2.4.23-20 from SL6.2 beta, and TLS succeeds now.
Iain.
openldap-technical@openldap.org