Difficulties with replication over SSL
I'm having trouble replicating over SSL:
I have two hosts, let's call them 'ldap1' and ldap2', both have ssl enabled and use their own certs.
Both certs were signed by Verisign and thus both machines have the same trusted root CA cert installed.
I have also installed the server-cert from ldap2 onto ldap1, and have modified the trustargs as I thought appropriate:
>certutil -L \
> -d /apps/ldap/serverroot/alias \
> -P slapd-cnd-tm1-
>
>server-cert u,u,u
>ldap2.berkeley.eduCT,,
>UCB Root Certificate Authority 01CT,,
Alas, I still cannot get replication to work over SSL from ldap1 to ldap2. The error log on ldap1 shows the following:
[30/Aug/2006:08:14:38 -0700] - ERROR<8318> - Repl. Transport - conn=-1 op=-1 msgId=-1 - [S] Bind failed with response: Failed to bind to remote (900).
[30/Aug/2006:08:15:10 -0700] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - Could not send consumer ldap2.berkeley.edu:636 the bind request
[30/Aug/2006:08:15:10 -0700] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 - Failed to connect to replication consumer ldap2.berkeley.edu:636
This shouldn't be very difficult but I'm currently stumped.
-Rob
# 1
Hello,
-- deployment guide--
If you are using SSL with replication, there are two possible methods of authentication:
When using SSL Server Authentication, you must have a Replication Manager entry, and its associated password, in the server you are authenticating to.
When using SSL Client Authentication you must have an entry containing a certificate in the server you are authenticating to. This entry may or may not be mapped to the Replication Manager entry.
If you choose the 2nd option then the DN of the certificate should be mapped on your directory server. Meaning there should be an LDAP entry in your directory server matching the DN of the certificate.
Regards
Randip Malakar
# 4
i think the problems might be now you have named to certificate. the output from "certutil -L -d /var/mps/serverroot/alias -P slapd-host-" list "server-name u,u,u" when i believe it needs to be the FQDN of the host, i.e "ldap1.domain.com u,u,u". try changing the name from server-name to FQDN on both machine and restart directories.
i have a 2-way mulit-master setup and i use the FQDN. the only certs i have installed are the one for the machine and my local CA and it works fine.
# 5
Randip,
I've managed to get Replication over SSL working using the Replication Manager account. I would like to use a certificate in place of the Replication Manager, but I can't seem to get that working at all.
Regarding your comment:
"If you choose the 2nd option then the DN of the certificate should be mapped on your directory server. Meaning there should be an LDAP entry in your directory server matching the DN of the certificate."
Can you expand on this further? Do I need to create a entry in the Directory correpsonding to my certificate DN which is:
cn=server1.FQDN,dc,ou=prod,o=comany,l=London,c=GB
However, my base suffix is:
dc=test,dc=com
Are you saying that I need my certificate to have a dn of:
cn=server1.FQDN,dc=test,dc=com?
Cheers,
Patrick
# 6
Rob,
I know this to work as I even do it with self signed certs signed for 25 years. (I don't like getting bugged when they expire).
I load the certs using a GUI, giving it passphrases and the like. I load two requests, one into the admin server and one into the directory server. I also load the CA and check the root certificate chain.
I only use the certutil for making db files for LDAP clients like Solaris 10 needs in /var/ldap. Although this may work in the alias directory, can't say I have tried that.
Once the above is done, I restart the servers. You will be asked for a token, use the passphrase.
Next, and I did not see you mention it; you have to enable the admin and directory server to do SSL. Then restart the servers agian. It is in the docs somewhere.
You can enable the directory server without the admin server, but since I sign my own I do them both at once.
Once all this is done, the console will want https to. SSL will also be listening on port 636. You then can configure replication to use SSL.
Dave
