LDAP Replica with TLS

Question

I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical

CentOS release 6.5

rpm -qa | grep ldap
openldap-clients-2.4.23-34.el6_5.1.x86_64
openldap-2.4.23-34.el6_5.1.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64
mod_authz_ldap-0.26-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
openldap-servers-2.4.23-34.el6_5.1.x86_64

Provider config, file cn\=config.ldif

olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem
olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL
olcTLSVerifyClient: never

Consumer config:

olcSyncrepl: {0}rid=000
  provider=ldap://ldpsoc01devpom.sociale.it
  starttls=yes
  type=refreshonly
  retry="5 5 300 +"
  searchbase="dc=example,dc=it"
  attrs="*,+"
  bindmethod=simple
  binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it"
  credentials=xxxxxxx
  interval=60

and, in /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/certs/ldapscert.pem
TLS_REQCERT never

the certificate is self-signed

On the slave, if I try the following command:

ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v

everything is ok but when I try to use TLS in replication, the process goes wrong. In the Provider log:

connection_get(16)
connection_get(16): got connid=1030
connection_read(16): checking for input on id=1030
connection_read(16): TLS accept failure error=-1 id=1030, closing
connection_closing: readying conn=1030 sd=16 for close
connection_close: conn=1030 sd=16
daemon: activity on 1 descriptor
daemon: activity on:

In the Consumer log:

slapd[6508]: =>do_syncrepl rid=000
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it Warning, ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=000 rc -1 retrying (3 retries left)
daemon: activity on 1 descriptor
daemon: activity on:

Answer 1

What is your use case for replication? Are you trying to set up another actual authentication server or are you trying to have the clients sync and use a local cache? If it's the latter, you may want to investigate SSSD.

If it's the former, you may want to listen in to the connection to see what's actually being sent. The command on Ubuntu (sorry, I'm not that knowledgeable about CentOS) is

ssldump -i <desired interface, eth0 in my case>

I found a link that will show you how to install it - seems kinda dated, maybe you can find an updated version.

You'll want to run it on your server. It may give you more information, or at least an error code to work from. If you can get it to work, post it here and I'll see what I can do to help you (admittedly, I'm fairly novice with LDAP as well).