Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS works, syncrepl + TLS works, the ldapclients with TLS works, just slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for slapo-chain, but with I enable "chain-tls start" (as described in the OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the distribution.
Regards,
Warren.
Hi,
Because you're using chain type referrals you need to "trust" the certificate from the ldap server you are "referring" to on the LDAP clients issuing queries.
Andrei BĂNARU Internal Support CCNA Security, CCIP StreamWIDE Romania
On 16.07.2012 00:25, Warren Howard wrote:
Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS works, syncrepl + TLS works, the ldapclients with TLS works, just slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for slapo-chain, but with I enable "chain-tls start" (as described in the OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the distribution.
Regards,
Warren.
Dear Andrei,
On 16/07/12 11:47 AM, Andrei BĂNARU wrote:
Hi,
Because you're using chain type referrals you need to "trust" the certificate from the ldap server you are "referring" to on the LDAP clients issuing queries.
Isn't this done by setting up TLS_CACERT in /etc/ldap/ldap.conf and TLSCACertificateFile in /etc/ldap/slapd.conf?
In my case, on the slave /etc/ldap.conf contains the line "TLS_CACERT /etc/ssl/certs/cacert.pem" and /etc/ldap/slapd.conf contains the line "TLSCACertificateFile /etc/ssl/certs/cacert.pem". cacert.pem is the self-signed cert from the ca that I used to sign the certificates for each server. ldap client queries with -Z or -ZZ work fine, syncrepl (with TLS) works fine. slapo-chain + TLS wont work and each time it gives a TLS negotiation failure.
In an attempt to understand more I started slapd on the master with debug -1 and found this error:
TLS: can't accept: A record packet with illegal version was received.. connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $ buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could this be related to the version of slapd or gnutls?
Regards,
Warren.
TLS: can't accept: A record packet with illegal version was received.. connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $ buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could this be related to the version of slapd or gnutls?
Check out:
man slapd-ldap as slapo-chain uses that which has the same tls settings as slapd.
Thanks.
On 19/07/12 2:36 AM, Gavin Henry wrote:
TLS: can't accept: A record packet with illegal version was received.. connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $ buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could this be related to the version of slapd or gnutls?
Check out:
man slapd-ldap as slapo-chain uses that which has the same tls settings as slapd.
Thanks.
Thanks for that, in the end I gave up on TLS and just used SSL. Later when I try again, it'll be after upgrading both the provider and the consumer to the same versions. For now I'm using:
chain-uri "ldaps://provider.example.com" . . chain-tls ldaps . . . . updateref "ldaps://provider.example.com/"
Regards,
Warren.
Thanks for that, in the end I gave up on TLS and just used SSL. Later when I try again, it'll be after upgrading both the provider and the consumer to the same versions. For now I'm using:
Warren you wimp!!! I understand, but do go back to it as StartTLS is a standard, LDAP over SSL isn't.
Thanks.
There are some good instances where StartTLS isn't attractive: when the LDAP servers are behind F5 BigIPs for example. My 2 cents.
- chris
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Andrei BĂNARU -
Chris Jacobs -
Gavin Henry -
Gavin Henry -
Warren Howard