OpenLDAP mirror mode replication failing with TLS behind a load balancer
Fixed it. There were two problems.
1) The certificate CSR clearly showed subject alternate names for the two individual LDAP servers. I signed it using the usual openssl command that I use to sign with, and never checked the certificate itself. Turns out the certificate did not have the subject alternate names on it, because those require special v3 extensions. Here's the command I used.
openssl x509 -req -days 3650 -in ldap.csr -signkey ldapskey.pem -out cert.pem -extensions v3_req -extfile /etc/ssl/openssl.cnf
2) The REDACTED password I had in my olcSyncrepl directive was actually the SSHA hash. Looks like that's not cool. I replaced the SSHA hash with the clear text password.
Oh, and I also cleared up the syncprov overlays, so that only one overlay existed in each of the actual databases - not in the config databases.
BTW, I found a Howard Chu post where he said that the rid has to be unique within the server's configuration, not within your mirror configuration spanning servers. So, sounds like rid could be 001 on both servers, but anyway, I left it 001 and 002 and it's not harming anyone.
Related videos on Youtube
12 : 21
24 : 19
02 : 42
19 : 05
47 : 05
Lynn Owens
Updated on September 18, 2022Comments
-
Lynn Owens almost 2 years
I have two OpenLDAP servers that are both running TLS. They are:
ldap1.mydomain.com ldap2.mydomain.comI also have a load balancer cluster with a dns name of it's own:
ldap.mydomain.comThe SSL certificate has a CN of ldap.mydomain.com, with SANs of ldap1.mydomain.com and ldap2.mydomain.com.
Everything works... Except mirror mode replication.
My mirror mode replication is setup like this:
ldap.conf
TLS_REQCERT allowcn=config.ldif
olcServerID: 1 ldap://ldap1.mydomain.com olcServerID: 2 ldap://ldap2.mydomain.comOn ldap1, olcDatabase{1}hdb.ldif
olcMirrorMode: TRUE olcSyncrepl: {0}rid=001 provider=ldap://ldap2.mydomain.com bindmethod=simple bindmethod=simple binddn="cn=me,dc=mydomain,dc=com" credentials="REDACTED" starttls=yes searchbase="dc=mydomain,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"On ldap2, olcDatabase{1}hdb.ldif
olcMirrorMode: TRUE olcSyncrepl: {0}rid=001 provider=ldap://ldap1.mydomain.com bindmethod=simple bindmethod=simple binddn="cn=me,dc=mydomain,dc=com" credentials="REDACTED" starttls=yes searchbase="dc=mydomain,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"Here's the errors I'm getting in syslog:
Dec 1 21:05:01 ldap1 slapd[6800]: slap_client_connect: URI=ldap://ldap2.mydomain.com DN="cn=me,dc=mydomain,dc=com" ldap_sasl_bind_s failed (-1) Dec 1 21:05:01 ldap1 slapd[6800]: do_syncrepl: rid=001 rc -1 retrying Dec 1 21:05:08 ldap1 slapd[6800]: conn=1111 fd=20 ACCEPT from IP=ldap.mydomain.com:2295 (IP=ldap1.mydomain.com:636) Dec 1 21:05:08 ldap1 slapd[6800]: conn=1111 fd=20 closed (TLS negotiation failure)Any ideas? I've been working on OpenLdap for way too long now.
-
Lynn Owens over 11 yearsOk, I've made that change, unfortunately the situation is unchanged.
-
aculich over 11 yearsCan you make your full configuration available via a gist so people can try to reproduce the problem?
-
Lynn Owens over 11 yearsgist.github.com/4187388 ... In compiling that, I see that I am missing the syncProv overlay in the global section of the second server...
