OpenLDAP multimaster replication fails when enabling encrypted replication
Issue
We try to setup a multi master replication with 2 LDAP servers. It works fine if the connection for replication is unencrypted. If we enable encryption, replication do not work.
Debug output when start the LDAP server:
initial cert load works:
=>do_syncrepl rid=002
ldap_create
ldap_url_parse_ext(ldaps://ldap2.example.org)
...
ldap_pvt_connect: fd: 13 tm: -1 async: 0
TLS: loaded CA certificate file /etc/pki/CA/cacert.crt.
TLS: certificate '/etc/pki/CA/certs/ldap2.crt' successfully loaded from
PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap2.example.org,OU=GSS,O=RH,ST=BW,C=DE'.
TLS: certificate [CN=ldap2.example.org,OU=GSS,O=RH,ST=BW,C=DE] is valid
TLS: certificate [CN=ldap2.example.org,OU=GSS,O=RH,ST=BW,C=DE] is valid
TLS certificate verification: subject:
CN=ldap2.example.org,OU=GSS,O=RH,ST=BW,C=DE, issuer: CN="ldap1
Certificate Authority",OU=GSS,O=RH,L=STGT,ST=BW,C=DE, cipher:
Camellia-256, security level: high, secret key bits: 256, total key
bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
...
TLS fails:
ber_scanf fmt (}) ber:
ldap_msgfree
slap_client_connect: URI=ldaps://ldap2.example.org Error, ldap_start_tls
failed (1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 13
...
>>> slap_listener(ldaps://ldap1.example.org)
connection_get(13): got connid=1000
connection_read(13): checking for input on id=1000
TLS: loaded CA certificate file /etc/pki/CA/cacert.crt.
TLS: certificate '/etc/pki/CA/certs/ldap.crt' successfully loaded from
PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap1.example.org,OU=GSS,O=RH,ST=BW,C=DE'.
TLS: certificate [CN=ldap1.example.org,OU=GSS,O=RH,ST=BW,C=DE] is valid
connection_get(13): got connid=1000
connection_read(13): checking for input on id=1000
Environment
- Red Hat Enterprise Linux 6.4
- Two Servers are called Master-1 and Master-2
- Hostname:
ldap1.example.org
(Master-1) - Hostname:
ldap2.example.org
(Master-2) - Suffix:
dc=example,dc=org
- Version of OpenLDAP:
openldap-2.4.23-32.el6_4.1.x86_64
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.