Re: OpenLDAP syncrepl over SSL

Wed, 31 Jul 2013 06:31:05 -0700 

On 07/31/2013 12:36 PM, Tony Davis wrote:

Hi,

I wonder if anyone can help me with a question I have regarding an
openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.

I am trying to setup replication, I have set this up using the simple
bind method, which stores a password for the replication in the config.
(This works) but I wondered if there was a way to have this replication
take place using ssl certificates without the need to store the unhashed
password in the slapd.conf? Is this possible? or do I still have to
specify a replication user and pass, but all the auth takes place over ssl?

This is my current config for replication:

    syncrepl rid=001
             provider=ldap://master01.tld
             type=refreshAndPersist
             interval=00:00:05:00
             retry="5 5 300 +"
             searchbase="dc=tld"
             attrs="*,+"
             bindmethod=sasl
             saslmech=EXTERNAL
             tls_cert=/etc/master02.tld.pem
             tls_key=/etc/master02.tld.key
             tls_cacert=/etc/openldap/cacerts/ca.pem
             tls_reqcert=demand
             starttls=yes

             mirrormode on
             updateref ldap://master01.tld


but in the replication log i get the following:

    Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001
    ldap_sasl_interactive_bind_s failed (7)
    Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying
    (3 retries left)
    Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor
    Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
I'm struggling with a similar problem (see message "N-Way Multi-Master TLS problem" from a few hours ago) so I'm afraid I don't have an answer for you. This FAQ entry might help: 

http://www.openldap.org/faq/data/cache/1504.html
One tip: usually the developers/experienced folks on this list will advise you to upgrade your OpenLDAP version to the latest version using packages available from http://ltb-project.org or build the latest OpenLDAP from source against OpenSSL (not gnuTLS). Between 2.3.43 and the latest 2.4.35 version many syncrepl bugs have been fixed so maybe start with that.
If you find a solution I would appreciate it if you could update the thread. It might provide a pointer how to solve my problem. 

Regards,
Patrick

Reply via email to