Hi Angela, just got SASL EXTERNAL to work with syncrepl today. I am not sure, if .ldaprc and others play role here. Consumer ldap server should have a certificate, which you configure in your slapd.conf (man slapd.conf) or otherwise in config backend. If I am not confusing anything you should have set
TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile What's happening with you is that you most probably use self-signed certificate. It is not good. I would suggest you to setup your own CA and issue certificates to both consumer and provider. best regards, vadim tarassov On Mon, 2007-03-05 at 12:32 +0100, Angela Gavazzi wrote: > Am Samstag, 3. März 2007 00:04 schrieb Pierangelo Masarati: > > > Dieter Kluenter wrote: > > > > Hi, > > > > > > > > Angela Gavazzi <[EMAIL PROTECTED]> writes: > > > >> Hallo! > > > >> > > > >> I'm trying to set up a replication with syncrepl and saslmech > external > > > >> and it wont succeed. > > > >> I was reading a lot but I really don't see where the problem is > now and > > > >> don't know how to continue. So I really would appreciate if > somebody > > > >> could point me to the probable error. > > > >> Please let me know if you need more infos. > > > > > > > > [...] > > > > > > > >> ***************************************************************** > > > >> slave: > > > >> > > > >> ... > > > >> overlay syncprov > > > >> syncrepl rid=001 > > > >> provider=ldap://erde.aag:389 > > > >> searchbase="dc=aag" > > > >> type=refreshOnly > > > >> filter="objectClass=*" > > > >> attrs="*,+" > > > >> schemachecking=off > > > >> scope=sub > > > >> interval=00:00:01:00 > > > >> updatedn "cn=repl,dc=aag" > > > >> updateref="ldap://erde.aag:389"; > > > >> bindmethod=sasl > > > >> saslmech=EXTERNAL > > Hi, first I updated to 2.3.32 as Quanah wrote. > > > > Is the relevant ldaprc pointing to the certificate? > > ... from man > > Users may create an optional configuration file, ldaprc or .ldaprc, in > their home directory which will be used to override the system-wide > defaults file. > > The file ldaprc in the current working directory is also used. > > So I thought that ldap.conf is enough. > > Apologize the question: > > Where should ldaprc/.ldaprc be, if the ldapuser has no shell? > > Or what's the current working directory from openldap? > > The homedir from ldapuser is /usr/local/ldap. I put the ldaprc > therein, I tried also /etc/ldap and tried to start slapd with -r / - > only for testing - and put it in there, but it makes no difference. > > That's my ldap.conf > > BASE dc=aag > > URI ldap://erde.aag:389 > > TLS_CACERT /etc/ldap/certs/cacert.pem > > TLS_CERT /etc/ldap/certs/mond.aag_cert.pem > > TLS_KEY /etc/ldap/certs/mond.aag_key.pem > > > > > > > >> authz-regexp > > > >> "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische > > > >> > Gesellschaft,OU=Goetheanum,CN=mond.aag,[EMAIL PROTECTED]" > > > >> "ldap:///dc=aag??one? (cn=repl)" > > > > > > > > What is the result of ldapwhoami -Yexternal -ZZ ldap://mond.aag? > > ldapwhoami -Yexternal -ZZ ldap://mond.aag > > SASL/EXTERNAL authentication started > > SASL username: > [EMAIL PROTECTED],CN=mond.aag,OU=Goetheanum,O=Allgemeine > Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH > > SASL SSF: 0 > > dn:[EMAIL PROTECTED],cn=mond.aag,ou=goetheanum,o=allgemeine > anthroposophische gesellschaft,l=dornach,st=switzerland,c=ch > > Result: Success (0) > > > > > > If the above works, I think you'll need to add > > > > > > starttls=critical > > I did it and got this now: > > TLS certificate verification: depth: 0, err: 18, > subject: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische > Gesellschaft/OU=Goetheanum/CN=erde.aag/[EMAIL PROTECTED], > issuer: /C=CH/ST=Switzerland/L=Dornach/O=Allgemeine Anthroposophische > Gesellschaft/OU=Goetheanum/CN=erde.aag/[EMAIL PROTECTED] > > TLS certificate verification: Error, self signed certificate > > tls_write: want=7, written=7 > > 0000: 15 03 01 00 02 02 30 ......0 > > TLS trace: SSL3 alert write:fatal:unknown CA > > TLS trace: SSL_connect:error in SSLv3 read server certificate B > > TLS trace: SSL_connect:error in SSLv3 read server certificate B > > TLS: can't connect. > > Error: rid 001 ldap_start_tls failed (-11) > > So I understand that openldap doesn't recognize the CA, but at the > moment I don't know how to solve this. > > It makes no difference if I start slapd as root, even if my ldapsearch > as root works. I'm sure all cert and key files are accessible by the > ldapuser. > > Thank's to all > > Angela > > > to your syncrepl configuration, and make sure TLS is configured OK > both > > > in the producer (see slapd.conf(5)) and in the consumer (see > > > ldap.conf(5)), and make sure the TLS_CERT and TLS_KEY are set in the > > > user-specific ldap.conf(5), > > see below* > > > and that TLS_REQCERT in the consumer's ldap.conf(5) > > TLS_REQCERT require > > > and TLSVerifyClient in the producer's slapd.conf(5) are set > > TLSVerifyClient demand > > > to something like "demand", so that certificates are checked for > sure by > > > both peers. > > > > > > p. > > > > > > > > > > > > Ing. Pierangelo Masarati > > > OpenLDAP Core Team > > > > > > SysNet s.n.c. > > > Via Dossi, 8 - 27100 Pavia - ITALIA > > > http://www.sys-net.it > > > ------------------------------------------ > > > Office: +39.02.23998309 > > > Mobile: +39.333.4963172 > > > Email: [EMAIL PROTECTED] > > > ------------------------------------------ >
