Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
This is my current config for replication:
syncrepl rid=001 provider=ldap://master01.tld type=refreshAndPersist interval=00:00:05:00 retry="5 5 300 +" searchbase="dc=tld" attrs="*,+" bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/master02.tld.pem tls_key=/etc/master02.tld.key tls_cacert=/etc/openldap/cacerts/ca.pem tls_reqcert=demand starttls=yes
mirrormode on updateref ldap://master01.tld
but in the replication log i get the following:
Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7) Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left) Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
On 07/31/2013 12:36 PM, Tony Davis wrote:
Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
This is my current config for replication:
syncrepl rid=001 provider=ldap://master01.tld type=refreshAndPersist interval=00:00:05:00 retry="5 5 300 +" searchbase="dc=tld" attrs="*,+" bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/master02.tld.pem tls_key=/etc/master02.tld.key tls_cacert=/etc/openldap/cacerts/ca.pem tls_reqcert=demand starttls=yes mirrormode on updateref ldap://master01.tldbut in the replication log i get the following:
Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7) Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left) Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
I'm struggling with a similar problem (see message "N-Way Multi-Master TLS problem" from a few hours ago) so I'm afraid I don't have an answer for you. This FAQ entry might help:
http://www.openldap.org/faq/data/cache/1504.html
One tip: usually the developers/experienced folks on this list will advise you to upgrade your OpenLDAP version to the latest version using packages available from http://ltb-project.org or build the latest OpenLDAP from source against OpenSSL (not gnuTLS). Between 2.3.43 and the latest 2.4.35 version many syncrepl bugs have been fixed so maybe start with that.
If you find a solution I would appreciate it if you could update the thread. It might provide a pointer how to solve my problem.
Regards, Patrick
On 2013.07.31 06.36, Tony Davis wrote:
Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
you are talking about two different things. one is encryption, and one is authentication.
making some basic assumptions [e.g. that the provider is properly configured for encryption], using starttls means that communication is encrypted, regardless of how you might be authenticating or what sasl mechanism might be in use.
as far authentication goes, if you want to do certificate based authentication, first read the section in the admin guide which covers this [chapter 16. using tls]. then, use ldapsearch or friends for the exercise of set up and testing of the provider. once that is working, translate those settings to the consumer syncrepl config element.
on a related note, the tls_cert/tls_key syncrepl settings are to specify the key and cert of the client [e.g. the consumer]. not the provider. those files are what the consumer will use when authenticating to the provider via certificates.
-ben
openldap-technical@openldap.org
-
btb -
Patrick Lists -
Tony Davis