Re: overlay chain and TLS/SSL - openldap-technical

1 Mar 2010


      Hi Dieter,
...
...
Hi all,
I think I have  a problem with the overlay chain and tls.  We have one physical
master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
but sometimes  we can't modify  entries like passwords  to the master.  Then we
must restart  the slapd at the  slaves. After restarting slapd  all works fine.
Then slapd works fine the wholy day.  We can change entries or set passwords on
the slaves.  Next morning  we must  restart the slapd  again, because  we can't
modify entries from the  slaves. But we can query the  slapd and syncrepl works
fine. Only things over the overlay chains  doesn't work. I have the problem not
only  with Version  2.4.20. I  tested more  Versions and  actually 2.4.21  from
pysically hardware.
If I can't set entries on the slave  I don't see any tcp packets from the slave
to the master. DNS,  time and so on looks fine and  everything else is working.
And if we restart slapd everything is  working. Does anybody know what is going
wrong and if  there exits a workaround. I read  some things abount /dev/random,
/dev/urandom and kernel 2.6 in VMware. Can this be the problem?
Here the overlay chain configuration.
<snip slapd.conf>
overlay                chain
chain-uri              "ldap://eisenherz.camelot.de/";
chain-idassert-bind    bindmethod=simple
                       binddn="cn=ldapadmin,dc=camelot,dc=de"
                       credentials="xxxxxx"
                       mode="self"
chain-rebind-as-user   TRUE
chain-return-error     TRUE
chain-tls              start
</snip slapd.conf>
Any help is appreciated.
What version is this?
I found that with 2.4.21 a tls_cacert option solved my problem.
I have the problem in 2.4.12, 2.4.18, 2.4.19, 2.4.20 and 2.4.21.
...
chain-tls start 
   tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem
   tls_reqcert="demand"
slapd-ldap(5) provides more TLS options.
I know  and I have  configured some  of them. But  the problem still  exists. I
can't see any packets on the network device  from the slave to the master. If I
restart the slave slapd then all works fine for a time.
But I will read the man page again.
Today have  sent a mail  to the  list with two  traces. One with  a successfull
passmod and one with nonworking passmod. Here the link:
http://www.openldap.org/lists/openldap-technical/201003/msg00019.html
The differences in the traces are hdb_dn2id entries. When the passmod over the
slave is ok then I can see entries like:
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")                          
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")                          
<= hdb_dn2id: got id=0x5                                                 
entry_decode: ""                                                         
<= entry_decode()
or
=> hdb_dn2id("ou=policies,dc=camelot,dc=de")                            
<= hdb_dn2id: got id=0x9                                                 
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")                 
<= hdb_dn2id: got id=0xa                                                 
entry_decode: ""                                                         
<= entry_decode()
When the  passmod failed these entries  are not in the  trace. After restarting
the slapd I  can change passwords over  the slaves and I can  see the hdb_dn2id
entries in the trace.
Regards
Ralf Zimmermann
--
.''`.  Ralf Zimmermann
: :' :  SIEGNETZ.IT GmbH       	     
`. `'   Schneppenkauten 1a      
  `-    57076 Siegen
Tel.: +49 271 68193 13
    Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
    Geschaeftsfuehrer: Oliver Seitz
    Sitz der Gesellschaft ist Siegen