RE: Q: Using SASL EXTERNAL with certificates for syncrepl

Thu, 20 Mar 2025 00:33:50 -0700 

Hi!

Just answering my own question:
I had some incorrect syncrepl configurations that caused the error (wrong mech).
After having fixed those, I don't see any error any more.

Kind regards,
Ulrich Windl

From: Windl, Ulrich <u.wi...@ukr.de>
Sent: Wednesday, March 19, 2025 2:55 PM
To: openldap-technical@openldap.org
Subject: [EXT] Q: Using SASL EXTERNAL with certificates for syncrepl

Hi!

I'm trying to convert out rencreplc configurtation using plain authentication 
over TLS to external authentication using a user certificate.
It almost works, but slapd is reporting "connection_read(11): TLS accept 
failure error=-1 id=1002, closing" and "conn=1002 fd=11 closed (TLS negotiation 
failure)" while I can connect using the certificate and peer with openssl 
s_client

Openssl reports:
...
Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 20974 bytes and written 5070 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2400 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
...

Somehow I suspect that the certificate being a user certificate (DN mapped to a 
user entry) is not acceptable in syncrepl's tls_cert; can anybody confirm?
The problem is that I'd like to trust a user certificate more than a host 
certificate for replication.
And if I'd use a host certificate, how could I authenticate the user being used 
to get the changes?

I looked a lot around using popular search engines, but could not find a useful 
example that is complete enough.

Let me remark at this point that the description of tls_reqsan is quite poor in 
{SLAPD-CONFIG(5); it was not obvious to me that i9s is about "Subject Alternate 
Name".
The other thing I noticed was a capitalized "Binding" in "...to  establish  a  
TLS  session  before Binding to the provider." (also in SLAPD-CONFIG(5))

Kind regards,
Ulrich Windl

Reply via email to