Re: LDAPS Multi-master replication

Tue, 28 Jan 2020 13:08:24 -0800 

Hello,

Please keep replies on the list.
--On Tuesday, January 28, 2020 8:06 AM +0000 Клеусов Владимир Сергеевич <[email protected]> wrote: 


Fixed
Not sure what you're saying was fixed. There was not really any errors discussed in your prior email, simply a note that the replication you were configurating would only replicate the cn=config database. Your modification appears to keep that behavior. 


dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://infra-ldap-m9.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" starttls=no
tls_cert="/etc/ldap/sasl2/wb.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key"
tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldaps://infra-ldap.dl.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" credentials=5fX?BLR2 starttls=no
tls_cert="/etc/ldap/sasl2/w.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key"
tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=ldaps://infra-ldap.dp.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" starttls=no
tls_cert="/etc/ldap/sasl2/wb.ru.crt"
tls_key="/etc/ldap/sasl2/wb.ru.key"tls_cacert="/etc/ldap/sasl2/commercial
_ca.crt" tls_reqcert=allow type=refreshAndPersist retry="5 5 300 5"
timeout=1
Your above configuration seems very odd. You are not doing client cert authentication via SASL EXTERNAL, and yet you've specified a client cert and key. I would expect the only TLS configuration bits to be for the CA cert. 


But in logs on each server
slap_client_connect: URI=ldaps://infra-ldap.dl.wb.ru
DN="cn=admin,cn=config" ldap_sasl_bind_s failed


So it's not able to bind with the configuration to the other server.


openssl s_client -connect infra-ldap.dp.wb.ru:636
Verify return code: 0 (ok)
Do I need to specify port 636 in steps 5 and 7 ? For example, it was
ldaps:/ / infra-ldap-m9.wb. ru and will become ldaps://infra-ldap-m9.wb.
ru:636


No, port 636 is the default for ldaps.


And how else can you figure out what's wrong ?
I would use the ldapwhoami utility to ensure you can bind with the specified identity to each server. 

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply via email to