2:25 p.m.
Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS
works, syncrepl + TLS works, the ldapclients with TLS works, just
slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for
slapo-chain, but with I enable "chain-tls start" (as described in the
OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to
get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the
distribution.
Regards,
Warren.
11:17 p.m.
Hi,
Because you're using chain type referrals you need to "trust" the
certificate from the ldap server you are "referring" to on the LDAP
clients issuing queries.
Andrei BĂNARU
Internal Support
CCNA Security, CCIP
StreamWIDE Romania
On 16.07.2012 00:25, Warren Howard wrote:
Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without
TLS works, syncrepl + TLS works, the ldapclients with TLS works, just
slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for
slapo-chain, but with I enable "chain-tls start" (as described in the
OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to
get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the
distribution.
Regards,
Warren.
11:24 a.m.
Dear Andrei,
On 16/07/12 11:47 AM, Andrei BĂNARU wrote:
Hi,
Because you're using chain type referrals you need to "trust" the
certificate from the ldap server you are "referring" to on the LDAP
clients issuing queries.
Isn't this done by setting up TLS_CACERT in /etc/ldap/ldap.conf and
TLSCACertificateFile in /etc/ldap/slapd.conf?
In my case, on the slave /etc/ldap.conf contains the line "TLS_CACERT
/etc/ssl/certs/cacert.pem" and /etc/ldap/slapd.conf contains the line
"TLSCACertificateFile /etc/ssl/certs/cacert.pem". cacert.pem is the
self-signed cert from the ca that I used to sign the certificates for
each server. ldap client queries with -Z or -ZZ work fine, syncrepl
(with TLS) works fine. slapo-chain + TLS wont work and each time it
gives a TLS negotiation failure.
In an attempt to understand more I started slapd on the master with
debug -1 and found this error:
TLS: can't accept: A record packet with illegal version was received..
connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd
2.4.21 (Dec 19 2011 15:18:58) $
buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04),
could this be related to the version of slapd or gnutls?
Regards,
Warren.
2:06 p.m.
TLS: can't accept: A record packet with illegal version was
received..
connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21
(Dec 19 2011 15:18:58) $
buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could
this be related to the version of slapd or gnutls?
Check out:
man slapd-ldap as slapo-chain uses that which has the same tls
settings as slapd.
Thanks.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
12:15 p.m.
On 19/07/12 2:36 AM, Gavin Henry wrote:
> TLS: can't accept: A record packet with illegal version was
received..
> connection_read(16): TLS accept failure error=-1 id=1001, closing
>
> The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21
> (Dec 19 2011 15:18:58) $
> buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
>
> I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could
> this be related to the version of slapd or gnutls?
Check out:
man slapd-ldap as slapo-chain uses that which has the same tls
settings as slapd.
Thanks.
Thanks for that, in the end I gave up on TLS and just used SSL. Later
when I try again, it'll be after upgrading both the provider and the
consumer to the same versions. For now I'm using:
chain-uri "ldaps://provider.example.com"
.
.
chain-tls ldaps
.
.
.
.
updateref "ldaps://provider.example.com/"
Regards,
Warren.
1:21 p.m.
Thanks for that, in the end I gave up on TLS and just used SSL. Later
when I
try again, it'll be after upgrading both the provider and the consumer to
the same versions. For now I'm using:
Warren you wimp!!! I understand, but do go back to it as StartTLS is a
standard, LDAP over SSL isn't.
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
1:54 p.m.
There are some good instances where StartTLS isn't attractive: when the LDAP servers
are behind F5 BigIPs for example.
My 2 cents.
- chris
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
4152
days inactive
4156
days old
openldap-technical@openldap.org
7 comments
5 participants
participants (5)
-
Andrei BĂNARU -
Chris Jacobs -
Gavin Henry -
Gavin Henry -
Warren Howard