Dear OpenLDAP experts,
I'm about to setup an OpenLDAP server with the following features: - TLS/SSL with self-signed certificates - TLS-encrypted N-way replication (Syncrepl)
My environment: - 2 x RHEL 6.0 - OpenLDAP 2.4.23
I try to sync both databases: cn=config and backend-db. The problem is that I'm not able to turn on TLS for both sync-connections at the same time. It works for each connection but only if the second one is unencrypted.
Working configuration: ----- olcDatabase={0}config,cn=config ... olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 ... olcDatabase={1}bdb,cn=config ... olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem -----
(desired) Configuration, which doesn't work: ----- olcDatabase={0}config,cn=config ... olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem ... olcDatabase={1}bdb,cn=config ... olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem -----
/etc/openldap/cacerts/ca.pem contains CA certificates of both servers.
What is wrong? I would be very thankful for every advise.
--On Thursday, September 08, 2011 11:13 AM +0200 Alexey Tyurikov alexey.tyurikov@isko-engineers.de wrote:
My environment:
- 2 x RHEL 6.0
- OpenLDAP 2.4.23
What is wrong? I would be very thankful for every advise.
If you didn't build OpenLDAP yourself against OpenSSL, your answer is in the above. RHEL builds link against MozNSS which has had a variety of interesting issues. If you are using RedHat's OpenLDAP build, then you need to contact RedHat support for this. Or, build OpenLDAP yourself and link it against OpenSSL for now. There will be a number of fixes for MozNSS support in 2.4.27.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Alexey Tyurikov -
Quanah Gibson-Mount