0

I have syncrepl all working for the config database and the ldap database, let just concentrate on the ldap database. in this solution we require encryption between consumer and provider in a multi master configuration.

i have this working all well without tls, here is the non tls configuration for syncrepl

olcSyncRepl:
    rid=003
    provider=ldap://<server1>
    binddn="cn=ldapadm,dc=test,dc=local"
    bindmethod=simple
    credentials=password
    searchbase="dc=test,dc=local"
    type=refreshOnly
    interval=00:00:00:30
    retry="5 5 300 5"
    timeout=1

olcSyncRepl:
    rid=004
   provider=ldap://<server2>
    binddn="cn=ldapadm,dc=test,dc=local"
    bindmethod=simple
    credentials=password
    searchbase="dc=test,dc=local"
    type=refreshOnly
    interval=00:00:00:30
    retry="5 5 300 5"
    timeout=1

updates to server1 updates server2 and updates to server2 updates server1 all good

when trying this replace this configuration with self signed certificates and use ldaps over 636 it fails

this is the ldaps syncrepl config

olcSyncRepl:
    rid=003
    provider=ldaps://<server1>
    binddn="cn=ldapadm,dc=test,dc=local"
    bindmethod=simple
    credentials=password
    searchbase="dc=test,dc=local"
    tls_cacert=/etc/openldap/certs/IntInfCA.ca.pem
    tls_key=/etc/openldap/certs/serevr1
    tls_cert=/etc/openldap/certs/server1.cert
    type=refreshOnly
    interval=00:00:00:10
    retry="5 5 300 5"
    timeout=1
olcSyncRepl:
    rid=004 provider=ldaps://server2
    binddn="cn=ldapadm,dc=test,dc=local"
    bindmethod=simple
    credentials=password
    searchbase="dc=test,dc=local"
    tls_cacert=/etc/openldap/certs/IntInfCA.ca.pem
    tls_key=/etc/openldap/certs/server2
    tls_cert=/etc/openldap/certs/server2.cert
    type=refreshOnly
    interval=00:00:00:10
    retry="5 5 300 5"
    timeout=1

this does not work, error messages

Jan 13 08:16:36 hbtc5003 slapd[32321]: slap_client_connect: URI=ldaps://hbtc5503.test.vocalink.co.uk DN="cn=ldapadm,dc=ips,dc=local" ldap_sasl_bind_s failed (-1)
Jan 13 08:16:36 hbtc5003 slapd[32321]: do_syncrepl: rid=004 rc -1 retrying
Jan 13 08:16:36 hbtc5003 slapd[32321]: conn=1001 fd=23 closed (TLS negotiation failure)
Jan 13 08:17:06 hbtc5003 slapd[32321]: conn=1002 fd=23 ACCEPT from IP=10.105.189.178:46550 (IP=0.0.0.0:636)
Jan 13 08:17:06 hbtc5003 slapd[32321]: conn=1002 fd=23 closed (TLS negotiation failure)

any ideas?

user207421
  • 305,947
  • 44
  • 307
  • 483
Ibrarhussain187
  • 1
  • Have you provided the slaves with the self-signed certificate to trust? – user207421 Jan 15 '20 at 10:53
  • the replication issue was resolved, the issue was that cert location for the two servers were being overwritten in the configuration database, – Ibrarhussain187 Jan 21 '20 at 14:13
  • we have a new issue, now the user database is being replicated, when you add a new user all is replicated both ways, all good, when you change the password on one side its not replicated to the other side, help please – Ibrarhussain187 Jan 21 '20 at 14:14
  • I have the same issue: https://stackoverflow.com/questions/73001518/ldap-sasl-bind-s-failed-1 – Mohammad Jul 17 '22 at 03:29

0 Answers0