Discussion:
OpenLDAP syncrepl over SSL
Tony Davis
12 years ago
Permalink
Hi,

I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.

I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?

This is my current config for replication:

syncrepl rid=001
provider=ldap://master01.tld
type=refreshAndPersist
interval=00:00:05:00
retry="5 5 300 +"
searchbase="dc=tld"
attrs="*,+"
bindmethod=sasl
saslmech=EXTERNAL
tls_cert=/etc/master02.tld.pem
tls_key=/etc/master02.tld.key
tls_cacert=/etc/openldap/cacerts/ca.pem
tls_reqcert=demand
starttls=yes

mirrormode on
updateref ldap://master01.tld

but in the replication log i get the following:

Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7)
Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left)
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
Patrick Lists
12 years ago
Permalink
...
I'm struggling with a similar problem (see message "N-Way Multi-Master
TLS problem" from a few hours ago) so I'm afraid I don't have an answer
for you. This FAQ entry might help:

http://www.openldap.org/faq/data/cache/1504.html

One tip: usually the developers/experienced folks on this list will
advise you to upgrade your OpenLDAP version to the latest version using
packages available from http://ltb-project.org or build the latest
OpenLDAP from source against OpenSSL (not gnuTLS). Between 2.3.43 and
the latest 2.4.35 version many syncrepl bugs have been fixed so maybe
start with that.

If you find a solution I would appreciate it if you could update the
thread. It might provide a pointer how to solve my problem.

Regards,
Patrick
btb
12 years ago
Permalink
...
you are talking about two different things. one is encryption, and one
is authentication.

making some basic assumptions [e.g. that the provider is properly
configured for encryption], using starttls means that communication is
encrypted, regardless of how you might be authenticating or what sasl
mechanism might be in use.

as far authentication goes, if you want to do certificate based
authentication, first read the section in the admin guide which covers
this [chapter 16. using tls]. then, use ldapsearch or friends for the
exercise of set up and testing of the provider. once that is working,
translate those settings to the consumer syncrepl config element.

on a related note, the tls_cert/tls_key syncrepl settings are to specify
the key and cert of the client [e.g. the consumer]. not the provider.
those files are what the consumer will use when authenticating to the
provider via certificates.

-ben

Loading...