2014-12-09 17:12 GMT+01:00 Elmopi, Stefano <stefano.elm...@sociale.it>:
> Hi,
>
> I'm having problem to run the replica LDAP with TLS, without TLS, all
> works !!
> Provider and Consumer are identical
>
> CentOS release 6.5
>
> Provider config, file cn\=config.ldif
>
> olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem
> olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem
> olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem
> olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL
> olcTLSVerifyClient: never
>
>
> Consumer config:
>
> olcSyncrepl: {0}rid=000
> provider=ldap://ldpsoc01devpom.sociale.it
> starttls=yes
> type=refreshonly
> retry="5 5 300 +"
> searchbase="dc=example,dc=it"
> attrs="*,+"
> bindmethod=simple
>
> binddn="uid=rsync,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it"
> credentials=xxxxxxx
> interval=60
>
> the certificate is self-signed
>
> On the slave, if I try the following command:
>
> ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D
> 'uid=rsync,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W
> 'objectclass=*' -v
>
> everything is ok but when I try to use TLS in replication, the process
> goes wrong.
> In the Provider log:
>
> connection_get(16)
> connection_get(16): got connid=1030
> connection_read(16): checking for input on id=1030
> connection_read(16): TLS accept failure error=-1 id=1030, closing
> connection_closing: readying conn=1030 sd=16 for close
> connection_close: conn=1030 sd=16
> daemon: activity on 1 descriptor
> daemon: activity on:
>
>
> In the Consumer log:
>
> slapd[6508]: =>do_syncrepl rid=000
> slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it Warning,
> ldap_start_tls failed (-11)
> slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it
> DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it"
> ldap_sasl_bind_s failed (-1)
> do_syncrepl: rid=000 rc -1 retrying (3 retries left)
> daemon: activity on 1 descriptor
> daemon: activity on:
>
> on OpenLdap forum, they told me that :
>
> Get a real version of OpenLDAP that isn't linked to the broken MozNSS
> libraries and is current (2.4.40 is the current release).
>
> and so I was wondering if the version that released you is suffering from
> this problem or am I wrong configuration !!!
> Thanks
>
>
>
LTB packages are linkes against OpenSSL.
You need to configure syncrepl client TLS options, see OpenLDAP
documentation.
Clément.
_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users
