Gavin Henry írta: > ----- "Gémes Géza" <[EMAIL PROTECTED]> wrote: > > >> Hi everyone! >> >> I've set up two test ldap servers (2.4.10) with multimaster >> replication. >> With simple binds it is working well. >> I've set up a client certificate (everything CA signed, no >> self-signing >> ;-) ) to use with SASL/EXTERNAL authentication. >> Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config >> backend, set up an .ldaprc file and with: >> su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh >> (I'm running slapd as openldap user and group) >> I get: >> SASL/EXTERNAL authentication started >> SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth >> Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU >> SASL SSF: 0 >> dn:cn=config >> just like expected (ldapsearch and friends are also working on both >> sides and cross). >> Just to be sure I've exported the LDAPCONF variable in the slapd >> startup >> script. >> But syncrepl doesn't work! >> On the logs (olcLogLevel=-1): >> slap_client_connect: URI=ldaps://first-or-second-ldap-server >> ldap_sasl_interactive_bind_s failed (-6) >> connection_read(20): unable to get TLS client DN, error=49 id=23 >> > > Are you trying to StartTLS on an SSL (ldaps://) connection? That won't work. > > However a simple ldapwhoami or ldapsearch works. The ldaprc used is:
BASE dc=kzsdabas,dc=hu URI ldaps://first-ldap-server ldaps://second-ldap-server TLS_CACERT /etc/ssl/certs/ca.crt TLS_CERT /etc/ldap/syncrepl.crt TLS_KEY /etc/ldap/syncrepl.key TLS_REQCERT demand SASL_MECH external SASL_AUTHCID cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU Just to be sure now I've tried to change the providers to ldap://..., but without luck. Now it just reports in the logs: slap_client_connect: URI=ldaps://first-or-second-ldap-server ldap_sasl_interactive_bind_s failed (-6) Thanks for any idea. Geza
