Hi,
I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64
Provider config, file cn=config.ldif
olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL olcTLSVerifyClient: never
Consumer config:
olcSyncrepl: {0}rid=000 provider=ldap://ldpsoc01devpom.sociale.it starttls=yes type=refreshonly retry="5 5 300 +" searchbase="dc=example,dc=it" attrs="*,+" bindmethod=simple
binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it" credentials=xxxxxxx interval=60
and, in /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/ldapscert.pem TLS_REQCERT never
the certificate is self-signed
On the slave, if I try the following command:
ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v
everything is ok but when I try to use TLS in replication, the process goes wrong. In the Provider log:
connection_get(16) connection_get(16): got connid=1030 connection_read(16): checking for input on id=1030 connection_read(16): TLS accept failure error=-1 id=1030, closing connection_closing: readying conn=1030 sd=16 for close connection_close: conn=1030 sd=16 daemon: activity on 1 descriptor daemon: activity on:
In the Consumer log:
slapd[6508]: =>do_syncrepl rid=000 slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=000 rc -1 retrying (3 retries left) daemon: activity on 1 descriptor daemon: activity on:
Help, I do not know where to turn !!!! Thanks
Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165 tel. 0657060500
email:stefano.elmopi@sociale.it
Hello
question about overlay sssvlv
info
openldap 2.4.40 with meta to relay informations from one AD , one EDIr and one openLDAP. (just use openLDAP for now)
I create a database to get locally the root "dc=example,dc=fr" and the firstlevel OU "ou=TOUT,dc=example,dc=fr"
I bind the LDAP on "ou=LDAP,ou=TOUT,dc=example,dc=fr"
I activate this overlay (sssvlv) on slapd.conf (because of meta) globally (ie before the statement for the meta database)
overlay sssvlv
just this line.
on example.schema file I define ORDERING for the attribute displayName
---------- attributetype ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) ----------------------
then i try to make a ldapsearch like this :
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
# extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName # with server side sorting control #
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success
# numResponses: 1
If I try the search without sorting :
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
# extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName #
<results removed>
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
It find 5 entry with displayName=Agnes , displayName=agiercza, ....
what did I forgot ?
do I have to activate the overlay on the meta database and on the local database statement of slapd.conf ?
does my ldapsearch incorrect to use server side sorting ?
thanks for help.
Le 20/10/2014 19:22, Nicolas RENAULT a écrit :
Hello
question about overlay sssvlv
info
openldap 2.4.40 with meta to relay informations from one AD , one EDIr and one openLDAP. (just use openLDAP for now)
I create a database to get locally the root "dc=example,dc=fr" and the firstlevel OU "ou=TOUT,dc=example,dc=fr"
I bind the LDAP on "ou=LDAP,ou=TOUT,dc=example,dc=fr"
I activate this overlay (sssvlv) on slapd.conf (because of meta) globally (ie before the statement for the meta database)
overlay sssvlv
just this line.
on example.schema file I define ORDERING for the attribute displayName
attributetype ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
then i try to make a ldapsearch like this :
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
# extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName # with server side sorting control #
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success
# numResponses: 1
If I try the search without sorting :
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
# extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName #
<results removed>
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
It find 5 entry with displayName=Agnes , displayName=agiercza, ....
what did I forgot ?
do I have to activate the overlay on the meta database and on the local database statement of slapd.conf ?
does my ldapsearch incorrect to use server side sorting ?
thanks for help.
Note : I don't known how but my post appear as a response to *LDAP Replica TLS problem http://www.openldap.org/lists/openldap-technical/201410/msg00119.html* (berhaps because a use reply to to create my post :( ) , it is possible to detach my question from this thread , and I apologize for the mistake)
hello,
I a made search and tests for this overlay :
if a create 3 users in the ou=TOUT (local database) and activate sssvlv globally or locally then sort work for the 3 users OK
if I activate sssvlv on the meta backend i see the result I post yesterday. ------------------------------------------------------------------------------------------------------- # extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName # with server side sorting control #
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success
# numResponses: 1 ----------------------------------------------------------------------------------------------------------
I lauch slapd in debug mode and see that it may be a problem with the rewrite I made.
Without sort , all rewrite are made and I see the result.
With sort, only suffixmassage occur when the information came from the distant ldap and then no more process , just the result you can see 3 line up.
so questions :
Is the overlay sssvlv working on meta_backend ?
It is possible to force de overlay sssvlv to work after all rewrite (rwm) ?
Someone known a trick to solve my problem ?
thanks for reply
--On Monday, October 20, 2014 6:07 PM +0200 "Elmopi, Stefano" stefano.elmopi@sociale.it wrote:
Hi,
I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64
Get a real version of OpenLDAP that isn't linked to the broken MozNSS libraries and is current (2.4.40 is the current release).
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
If your certificate is self-signed, try to remove this line:
olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem
Keep only olcTLSCertificateFile and olcTLSCertificateKeyFile
Best regard, cyrill gremaud
On 20 Oct 2014, at 17:07, Elmopi, Stefano <stefano.elmopi@sociale.itmailto:stefano.elmopi@sociale.it> wrote:
Hi,
I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64
Provider config, file cn=config.ldif
olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL olcTLSVerifyClient: never
Consumer config:
olcSyncrepl: {0}rid=000 provider=ldap://ldpsoc01devpom.sociale.ithttp://ldpsoc01devpom.sociale.it/ starttls=yes type=refreshonly retry="5 5 300 +" searchbase="dc=example,dc=it" attrs="*,+" bindmethod=simple binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it" credentials=xxxxxxx interval=60
and, in /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/ldapscert.pem TLS_REQCERT never
the certificate is self-signed
On the slave, if I try the following command:
ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v
everything is ok but when I try to use TLS in replication, the process goes wrong. In the Provider log:
connection_get(16) connection_get(16): got connid=1030 connection_read(16): checking for input on id=1030 connection_read(16): TLS accept failure error=-1 id=1030, closing connection_closing: readying conn=1030 sd=16 for close connection_close: conn=1030 sd=16 daemon: activity on 1 descriptor daemon: activity on:
In the Consumer log:
slapd[6508]: =>do_syncrepl rid=000 slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.ithttp://ldpsoc01devpom.sociale.it/ Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.ithttp://ldpsoc01devpom.sociale.it/ DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=000 rc -1 retrying (3 retries left) daemon: activity on 1 descriptor daemon: activity on:
Help, I do not know where to turn !!!! Thanks
Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165 tel. 0657060500
email:stefano.elmopi@sociale.itmailto:email%3Astefano.elmopi@sociale.it
"Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003), le informazioni contenute nella presente @mail sono di natura riservata e destinate ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali, pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere, copiare, usare o diffondere il contenuto della presente @mail senza autorizzazione. Se avete ricevuto questa @mail per errore, siete pregati di rispedire la stessa al mittente. Grazie"
openldap-technical@openldap.org