Unable to use TLS in a 2-WayMaster/MirrorMode Setup - openldap-technical

6 May 2013


      Hi,
It's been a few days I'm trying to replicate my actual LDAP server on a new one.
@(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $
buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
and
@(#) $OpenLDAP: slapd  (Oct 17 2012 19:48:41) $
buildd@komainu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd
for the replica.
The replication part works great, but whenever I try to use TLS it fails.
Here is how I proceed:
- Genereate the certs (tried with CA.sh, CA.pl, certtools) 
    -> I use the servers fqdn as CN (hostname --fqdn gives the right output)
- Copy files to /etc/ldap/ssl
- chmod 660 them and chown openldap:openldap
An ouput of slapcat can be found here: http://paste.ubuntu.com/5638646/
When I try to check if TLS is working by using -ZZ of ldapsearch:
ie: ldapsearch -xLLL -b dc=beware,dc=fr -D cn=admin,dc=beware,dc=fr -w motdepasse -H ldap://master.beware.fr/ -ZZ 
I get no error.
The errors I get are:
May  6 16:14:20 master slapd[1057]: slapd starting
May  6 16:14:23 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr/ DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1)
May  6 16:14:23 master slapd[1057]: do_syncrepl: rid=002 rc -1 retrying (4 retries left)
May  6 16:14:23 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr Warning, ldap_start_tls failed (-1)
May  6 16:14:26 master slapd[1057]: slap_client_connect: URI=ldap://slave.beware.fr DN="cn=admin,dc=beware,dc=fr" ldap_sasl_bind_s failed (-1)
May  6 16:14:26 master slapd[1057]: do
(on the slave)
e.fr Error, ldap_start_tls failed (-1)
May  6 16:14:55 slave slapd[1278]: do_syncrepl: rid=003 rc -1 retrying (4 retries left)
May  6 16:15:00 slave slapd[1278]: slap_client_connect: URI=ldap://master.beware.fr/ DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1)
May  6 16:15:00 slave slapd[1278]: do_syncrepl: rid=001 rc -1 retrying (3 retries left)
May  6 16:15:00 slave slapd[1278]: slap_client_connect: URI=ldap://master.beware.fr Error, ldap_start_tls failed (-1)
May  6 16:15:00 slave slapd[1278]: do_syncrepl: rid=003 rc -1 retrying (3 retries left)
output of slapd -d 16383
5187bb09 slap_client_connect: URI=ldap://master.beware.fr Error, ldap_start_tls failed (-1)
5187bb09 daemon: activity on 1 descriptor
5187bb09 daemon: activity on:5187bb09 
5187bb09 daemon: epoll: listen=7 active_threads=0 tvp=zero
5187bb09 daemon: epoll: listen=8 active_threads=0 tvp=zero
5187bb09 do_syncrepl: rid=003 rc -1 retrying (3 retries left)
Regards,