Re: SSL replication error

[Mark Reynolds <mreynolds@xxxxxxxxxx>]

On 05/09/2018 03:37 PM, Michal Medvecky wrote:

The server uses the openldap client libraries for replication connections.  Setting nsslapd-ssl-check-hostname sets these flags on the connection as follows:

For server authentication it sets this flag:

    LDAPSSL_AUTH_CNCHECK   --> This checks the hostname in the certificate subject to that of the host
 
For SSL client auth it sets this flag:

    LDAP_OPT_X_TLS_HARD

Okay so it does more than is documented, now I get it.

I'll file a doc bug for this...

So the issue here is either openldap is not finding the correct hostname, or the hostname in the certificate subject is wrong.

As I stated previously, my domain name and cert is good. Even the reverse dns record is correct.

I tried replacing the certificate with an incorrect one (with invalid CN) and the error displayed in log is the very same. So yes, it looks like “something” does not match (but what?)

I'm not sure what is wrong/mismatched as it's failing inside of the openldap client library.  I wonder if the cert nickname having the "CN=" in it is a problem?  It shouldn't be, but who knows.

openldap just describes the flag as:

     LDAPSSL_AUTH_CNCHECK indicates that you accept the server's certificate only if you trust the CA who issued the certificate and if the value of the cn attribute is the DNS hostname of the server.

Under cn=config what is nsslapd-localhost set to?  Is it the correct FQDN?

What is in /etc/openldap/ldap.conf?

Connecting to ldap server itself works, even openssl s_client verifies the server cert ok (including the chain, what was a nice surprise to me).

Just to be clear: I’m using my own root CA, with an intermediate CA which issued cert for CN=ldap-master-b01.example.com and CN=ldap-master-b02.example.com. Both are imported into certstore with nickname “CN=ldap-master-b0[12]” (including the “CN=“). 

In cn=RSA,cn=encryption,cn=config, I use nsSSLPersonalitySSL='CN=ldap-master-b[01].example.com’.

I tried changing the errorlog-level as you suggested, but I got no better message than...

[09/May/2018:21:13:25 +0200] NSMMReplicationPlugin - agmt="cn=rw-to-ldap-master-b02.example.com" (ldap-master-b02:636): binddn = cn=MasterMasterReplicationManager,cn=config,  passwd = {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUXhZamN5WXpNeVppMDNPR00zTXpOaA0KTUMxaE1XTmtabUl5WmkwMVpUVmtOR1l5TlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRDBuaTFJaDRXMmZDcnlqWUtXQmlMRw==}yFb3FVwDwpWKupgUWiS4wg==

[09/May/2018:21:13:26 +0200] slapi_ldap_bind - Error: could not send bind request for id [cn=MasterMasterReplicationManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 115 (Operation now in progress, host "ldap-master-b02.example.com:636”)

There are no messages containing "conn_connect"?

root@ldap-master-b01:~# host ldap-master-b02.example.com

ldap-master-b02.example.com has address 100.127.177.145

root@ldap-master-b01:~# host 100.127.177.145

145.177.127.100.in-addr.arpa domain name pointer ldap-master-b02.example.com.

root@ldap-master-b02:~# certutil -L -d /etc/dirsrv/nss/ -n "CN=ldap-master-b02.example.com"|grep Subje

        Subject: "CN=ldap-master-b02.example.com"

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx