I am attempting to move my sycrepl with mirrormode configuration over to TLS using LDAPS (not starttls) and running into problems.
Multimaster setup (2 servers) behind a VIP both RHEL 6.3 Openldap 2.4.23-26 still running the old slapd.conf method (apologies) There are 3 separate certificates ldap.mycompany.net, server01.mycompany.net, and server02.mycompany.net
The primary certificate is used for running slapd, and the individual server certs are intended to allow syncrepl over ssl.
My configurations for syncrepl/mirrormode are down below.
I had success with non-ssl syncrepl/mirrormode. It worked great actually. Now I am attempting to get syncrepl/mirrormode working with SSL.
What I observe is whichever slapd instance is the last to startup is the one that becomes a "Master" as if I was in a producer/consumer setup.
Errors I am seeing are slapd[11995]: conn=1003 fd=13 ACCEPT from IP=<server1_IP>:56368 (IP= 0.0.0.0:636) slapd[11995]: connection_read(13): TLS accept failure error=-1 id=1003, closing
slapd[11485]: slap_client_connect: URI=ldaps://server01.mycompany.netDN="cn=Admin,dc=mycompany,dc=net" ldap_sasl_bind_s failed (-1) slapd[11485]: do_syncrepl: rid=001 rc -1 retrying
Server 1 configuration ************************* # Server1 synchronization settings
serverID 1
syncrepl rid=002 provider=ldaps://server02.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server02.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server02.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off
mirrormode on
# Server1 synchronization overlay overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Server1 end **************************************************************************************************
Server 2 configuration ********************************* # Server2 syncronization settings
serverID 2
syncrepl rid=001 provider=ldaps://server01.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server01.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server01.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off
mirrormode on
# Server02 synchronization overlay overlay syncprov syncprov-checkpoint 100 10
# Server2 end **************************************************************************************************
any help is greatly appreciated
--On Wednesday, January 09, 2013 6:19 PM -0600 Houston Ray houston.r.hopkins@gmail.com wrote:
I am attempting to move my sycrepl with mirrormode configuration over to TLS using LDAPS (not starttls) and running into problems.
Multimaster setup (2 servers) behind a VIP
both RHEL 6.3
Problem 1
Openldap 2.4.23-26
Problem 2
Don't use RH's builds of OpenLDAP, they link to their broken MozNSS stuff. Use a current release of OpenLDAP.
Once you've done that, then see what progress you can make.
I would note you can get useful OpenLDAP builds for RHEL from http://ltb-project.org/wiki/download#openldap
They link to OpenSSL rather than MozNSS, and are current.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Houston Ray -
Quanah Gibson-Mount