'[ldap] slurpd over ssl'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] slurpd over ssl
From:       "Ran Li" <Ran.Li () sprint-canada ! com>
Date:       2005-10-19 13:51:15
Message-ID: B7632B2426EB33428FEC68D78B02295104301EE7 () vpme2kb3 ! callnetcanada ! com
[Download RAW message or body]

Hello list,

Having searched and read the archive but still do not get a clue for my
problem. Please see if you could provide a clue for troubleshooting. I m
trying to configure replication between hosts lda01 and lda03, (OL
2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 everything was fine and
I can do following to prove ldaps is working

lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -h lda03.mydomain.com -Z or 
lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda03.mydomain.com  


lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -h lda01.mydomain.com -Z or 
lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
replica -H ldaps://lda01.mydomain.com  

I can use ldapadmin tools to connect the servers over 636 port too,

openssl verify on both servers says

# openssl s_client -connect lda01.mydomain.com:636 -showcerts -state
-CAfile /usr/local/openssl/misc/var/ca/cacert.pem
......
    Verify return code: 0 (ok)

# openssl s_client -connect lda01.mydomain.com:636
......
    Verify return code: 19 (self signed certificate in certificate
chain)

but when start the slurpd, the log complains

[lda01 ~]# /usr/local/openldap/libexec/slurpd -f
/usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d
1
@(#) $OpenLDAP: slurpd 2.3.7 (Sep  7 2005 13:42:42) $
        root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd

ldap_url_parse_ext(ldaps://lda03.mydomain.com)
Warning: saved state for 10.1.4.133:389, not a known replica
Warning: unknown replica 10.1.4.133:389 found in replication log Replica
lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip
repl record for ou=test123,ou=profile,o=mydomain.com (not mine)
ldap_create
ldap_url_parse_ext(ldaps://lda03.mydomain.com)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP lda03.mydomain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.1.4.133:636
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
Warning: unknown replica lda03.mydomain.com:0 found in replication log
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=ca/ST=ontario/L=tor onto/O=my
corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada.c
om, issuer:
/C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
ailAddress=ran.li@sprint-canada.com
TLS certificate verification: Error, self signed certificate in
certificate chain 
TLS trace: SSL3 alert write:fatal:unknown CA 
TLS trace: SSL_connect:error in SSLv3 read server certificate B 
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
contact LDAP server ldap_unbind

all configuration use the same cacert.pem but
servercert.pem/serverkey.pem are different.

slapd.conf 
...
TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem

ldap.conf 
...
tls_reqcert allow
tls_cacert /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts

slurpd over ssl is not working, please comment. Thanks. 

Regards,

Ran

---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic