I was told by the Chief Architect, OpenLDAP the following:
"This has nothing to do with OpenLDAP. Your build is using the MozNSS
crypto library, ask them for help."
So, here is my setup -
I've recently updated both my openldap servers to 2.4.39 version and
everything seems to be working EXCEPT the mirror synchronization which
was the issue I had previously with 2.4.23
Running on CentOS 6.5
Setup -
Server1(provider): ldap-east.xxxxx.net
Server2(consumer): ldap-west.xxxxx.net
Not using self signed certs. Instead have a SAN(Subject Alternative
Name)cert from DigiCert with 4 hostnames:
ldap.xxxxx.net
ldap-1.xxxxx.net
ldap-2.xxxxx.net
ldap-alt.xxxxx.net
I'm using slapd.conf vs cn=config.
A code snippet of my slapd.conf file showing the TLS setup:
[root@ldap-east openldap]# cat slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
allow bind_v2
TLSCertificateFile /etc/openldap/certs/ldap_xxxxx_net.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap_xxxxx_net.key
TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
The details of the Error Msg:
[root@ldap-east certs]# slapd -d sync
541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $
r...@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
541b16ed /etc/openldap/slapd.conf: line 165: warning, destination
attributeType 'sAMAccountName' is not defined in schema
541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted
unlimited privileges.
541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
541b16ed slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'.
541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
*** I wonder if there is something about SAN certs where ldap is having
issues ?
*** Since it is a signed CA cert in a mirror sync setup do I need to set
it up in the local CA(using certutil) and add it? (didn't have to for
non-sync use)
*** Unclear of 'not found in database' - which one? I've tried adding
it using certutil in various permutations of setting adding the cert to
the local CA database with all the various SAN names as different nick
names
*** I've also setup symlinks in /etc/openldap/certs pointing from the
hashes -> certs - but all of these with the exact same output as above.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
