I have set up OpenLDAP per the nice tutorial at https://help.ubuntu.com/lts/serverguide/openldap-server.html and on my previous run-throughs, I succeeded at setting up replication via TLS. But now that I'm implementing on the dedicated hardware, I am not able to replicate via TLS.
SOLUTION: It turns out the solution was to add a space to an LDIF file ...
On PROVIDER I will see, for example:
Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 fd=49 ACCEPT from IP= 10.10.3.117:60277 (IP=0.0.0.0:389) Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=0 BIND dn="" method=128 Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=0 RESULT tag=97 err=0 text= Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=1 SRCH base="dc=qxxxxxxxxd,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=2043))" Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 14 16:13:15 ldap0 slapd[1536]: <= bdb_equality_candidates: (uidNumber) not indexed Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=2 SRCH base="dc=qxxxxxxxxd,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=djh))" Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 14 16:13:15 ldap0 slapd[1536]: conn=1392 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 14 16:13:16 ldap0 slapd[1536]: conn=1392 op=3 UNBIND
While on CONSUMER:
Mar 14 16:13:15 ldap1 slapd[3672]: @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $#012#011buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd Mar 14 16:13:16 ldap1 slapd[3673]: slapd starting Mar 14 16:13:16 ldap1 slapd[3673]: do_syncrepl: rid=317 rc -1 retrying Mar 14 16:13:16 ldap1 sudo: pam_unix(sudo:session): session closed for user root Mar 14 16:13:23 ldap1 slapd[3673]: conn=1000 fd=13 ACCEPT from IP= 10.10.5.3:15197 (IP=0.0.0.0:389) Mar 14 16:13:23 ldap1 slapd[3673]: conn=1000 fd=13 closed (connection lost)
I *CAN* to TLS from consumer to master:
0-16:18 djh@ldap1 ~$ *ldapsearch -LLL -x -ZZ -H ldap://ldap0.mtv.**qxxxxxxxxd.com uid=djh cn* dn: uid=djh,ou=People,dc=qxxxxxxxxd,dc=com cn: djh
So, I increase olcLogLevel to add sync:
Mar 14 16:22:09 ldap1 slapd[4133]: @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $#012#011buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd Mar 14 16:22:10 ldap1 slapd[4134]: slapd starting Mar 14 16:22:10 ldap1 sudo: pam_unix(sudo:session): session closed for user root Mar 14 16:22:10 ldap1 slapd[4134]: do_syncrep2: rid=317 cookie=rid=317,csn=20160314224255.836334Z#000000#000#000000 Mar 14 16:22:10 ldap1 slapd[4134]: slap_queue_csn: queing 0x7f0c5c114995 20160314224255.836334Z#000000#000#000000 Mar 14 16:22:10 ldap1 slapd[4134]: slap_graduate_commit_csn: removing 0x7f0c5c114d10 20160314224255.836334Z#000000#000#000000 Mar 14 16:22:10 ldap1 slapd[4134]: do_syncrepl: rid=317 rc -1 retrying
THAT is the contextCSN on the provider!
0-16:24 djh@ldap0 ~$ *ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=qxxxxxxxxd,dc=com contextCSN # provider* dn: dc=qxxxxxxxxd,dc=com contextCSN: 20160314224255.836334Z#000000#000#000000
0-16:22 djh@ldap1 ~$ *ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=qxxxxxxxxd,dc=com contextCSN # consumer* dn: dc=qxxxxxxxxd,dc=com contextCSN: 20160314224152.708568Z#000000#000#000000
As best I can tell, the connection works, the replication works, but the consumer is not asking for TLS.
0-16:29 djh@ldap1 ~$ *sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcSyncRepldn: olcDatabase={1}hdb,cn=config* olcSyncrepl: {0}rid=317 provider=ldap://ldap0.mtv.qxxxxxxxxd.com bindmethod=si mple binddn="cn=admin,dc=qxxxxxxxxd,dc=com" credentials=secret searchbase ="dc=qxxxxxxxxd,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=audi tWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry=" 60 +" syncdata=accesslogstarttls=critical tls_reqcert=demand
If I rip out starttls=critical tls_reqcert=demand then sync works no problem.
If I enable logging on the PROVIDER I see:
Mar 14 16:35:46 ldap0 slapd[6838]: @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $#012#011buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd Mar 14 16:35:46 ldap0 slapd[6839]: slapd starting Mar 14 16:35:46 ldap0 sudo: pam_unix(sudo:session): session closed for user root Mar 14 16:35:49 ldap0 slapd[6839]: conn=1000 fd=27 ACCEPT from IP= 10.10.5.3:17876 (IP=0.0.0.0:389) Mar 14 16:35:49 ldap0 slapd[6839]: conn=1000 fd=27 closed (connection lost) Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 fd=27 ACCEPT from IP= 10.10.3.117:60312 (IP=0.0.0.0:389) Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=0 BIND dn="cn=admin,dc= *qxxxxxxxxd*,dc=com" method=128 Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=0 BIND dn="cn=admin,dc= *qxxxxxxxxd*,dc=com" mech=SIMPLE ssf=0 Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=0 RESULT tag=97 err=0 text= Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=1 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=1 SRCH attr=targetDN changeType changes newRDN deleteOldRDN newSuperior entryCSN Mar 14 16:35:55 ldap0 slapd[6839]: Entry reqStart=20160314224152.000005Z,cn=accesslog CSN 20160314224152.708568Z#000000#000#000000 older or equal to ctx 20160314224152.708568Z#000000#000#000000 Mar 14 16:35:55 ldap0 slapd[6839]: syncprov_search_response: cookie=rid=317,csn=20160314224255.836334Z#000000#000#000000 Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 op=2 UNBIND Mar 14 16:35:55 ldap0 slapd[6839]: conn=1001 fd=27 closed
So .......... it looks like ... sync works until it doesn't because ... we're not binding consumer to provider TLS because .. ?
WAIT A GOSH DARN SECOND HERE ....
0-16:41 djh@ldap1 ~$ *sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcSyncRepldn: olcDatabase={1}hdb,cn=config* olcSyncrepl: {0}rid=317 provider=ldap://ldap0.mtv.qxxxxxxxxd.com bindmethod=si mple binddn="cn=admin,dc=qxxxxxxxxd,dc=com" credentials=secret searchbase ="dc=qxxxxxxxxd,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=audi tWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry=" 60 +" *syncdata=accesslogstarttls=critical* tls_reqcert=demand
Yeah ...
0-16:43 djh@ldap1 ~$ *cat consumer_sync_tls.ldif* dn: olcDatabase={1}hdb,cn=config replace: olcSyncRepl olcSyncRepl: rid=317 provider=ldap://ldap0.mtv.qxxxxxxxxd.com bindmethod=simple binddn="cn=admin,dc=qxxxxxxxxd,dc=com" credentials=secret searchbase="dc=qxxxxxxxxd,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=critical tls_reqcert=demand
0-16:43 djh@ldap1 ~$ *sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldifSASL/EXTERNAL authentication started* SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config"
No errors ...
**edit consumer_sync_tls.ldif, add a space to the end of the line ending in syncdata=accesslog**
0-16:45 djh@ldap1 ~$ *sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldifSASL/EXTERNAL authentication started* SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config"
Same result, no errors, aaand:
0-16:46 djh@ldap1 ~$ *ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=**qxxxxxxxxd,dc=com contextCSN # consumer* dn: dc=qxxxxxxxxd,dc=com contextCSN: 20160314224255.836334Z#000000#000#000000
Well, I just paid some dues.
I want to add olcLogLevel config perhaps? Would that have helped me here?
Thanks ...
-danny
openldap-technical@openldap.org