--On Friday, June 23, 2017 8:30 AM +0000 Juergen.Sprenger@swisscom.com wrote:
Have also added these entries to syncrepl now, but without any success:
tls_cert=/etc/ssl/openldap/dannatu.ch.pem tls_key=/etc/ssl/openldap/dannatu.ch.key tls_cacert=/etc/ssl/certs/dannatuCA-cacert.pem
This would indicate you want to do client cert authentication with the syncrepl client, which as far as I know, you are not using (based on your earlier configuration). You need to remove the tls_cert and tls_key lines. I've tested with OpenLDAP 2.4.45 and TLS works as expected with replication.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Cert authentication works on 2.4.44-r1 without any problem.
I have now downloaded the source code, configured, compiled and installed it manually.
Configure options:
./configure --disable-bdb --disable-hdb --enable-accesslog --enable-auditlog --enable-deref --enable-memberof --enable-ppolicy --enable-proxycache --enable-syncprov --enable-valsort
After compilation 'make test' completed successfully without any errors.
Everything works fine with 2.4.44-r1, but there are still certificate problems with 2.4.45, complaining about self-signed certificates.
Configurations with 2.4.44-r1 and 2.4.45 are identical, both are compiled with the same version of OpenSSL libraries (OpenSSL 1.0.2l 25 May 2017) and are using the same certificates.
I have done strace:
2.4.44-r1: ======= ldap_create ldap_create ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636) ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636) ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw1.dannatu.ch:636 ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw0.dannatu.ch:636 ldap_new_socket: 13 ldap_prepare_socket: 13 ldap_connect_to_host: Trying 10.0.0.11:636 ldap_pvt_connect: fd: 13 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A ldap_new_socket: 14 ldap_prepare_socket: 14 ldap_connect_to_host: Trying 10.0.0.10:636 ldap_pvt_connect: fd: 14 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request
2.4.45: ===== ldap_create ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636) ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636) ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw0.dannatu.ch:636 ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw1.dannatu.ch:636 ldap_new_socket: 15 ldap_prepare_socket: 15 ldap_connect_to_host: Trying 10.0.0.10:636 ldap_pvt_connect: fd: 15 tm: -1 async: 0 attempting to connect: ldap_new_socket: 16 ldap_prepare_socket: 16 ldap_connect_to_host: Trying 10.0.0.11:636 ldap_pvt_connect: fd: 16 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization connect success TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS certificate verification: Error, self signed certificate in certificate chain TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS trace: SSL3 alert write:fatal:unknown CA TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce rtificate chain). 5950a07f slap_client_connect: URI=ldaps://fw1.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1) TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce rtificate chain). 5950a07f slap_client_connect: URI=ldaps://fw0.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1) 5950a07f do_syncrepl: rid=001 rc -1 retrying (4 retries left) 5950a07f do_syncrepl: rid=000 rc -1 retrying (4 retries left)
Still can't find a cause for this behavior.
Kind regards
Juergen Sprenger
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@symas.com] Sent: Friday, June 23, 2017 6:33 PM To: Sprenger Jürgen, INI-ON-CIS-SDI-HES Juergen.Sprenger@swisscom.com; openldap-technical@openldap.org Subject: RE: syncrepl fails after upgrade to openldap 2.4.45
--On Friday, June 23, 2017 8:30 AM +0000 Juergen.Sprenger@swisscom.com wrote:
Have also added these entries to syncrepl now, but without any success:
tls_cert=/etc/ssl/openldap/dannatu.ch.pem tls_key=/etc/ssl/openldap/dannatu.ch.key tls_cacert=/etc/ssl/certs/dannatuCA-cacert.pem
This would indicate you want to do client cert authentication with the syncrepl client, which as far as I know, you are not using (based on your earlier configuration). You need to remove the tls_cert and tls_key lines. I've tested with OpenLDAP 2.4.45 and TLS works as expected with replication.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Juergen.Sprenger@swisscom.com -
Quanah Gibson-Mount