Erralt

OpenLDAP, syncrepl via TLS/SSL

Posted in Administration, LF, Linux by erralt on 19 janvier 2010

I had to configure an Openldap consumer to replicate datas from my Openldap provider.

At the first time, my openldap server does not use slapd.conf directives but cn=config directives.
All the configuration examples i found on Internet, used slapd.conf. So, i had to find by myself howto translate slapd.conf directives in cn=config directives, especially syncrepl directives.


On the provider


1/ Add the attribute « olcModuleLoad » with value « syncprov »

the server will change your modification to :

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap

Equivalence with slapd.conf :

module syncprov


2/ Add overlay directive with some suboptions

– add this entry under a node of a database backend configuration, not under the master configuration directive (it doesn’t work, i made the mistake). Verify that you have bdb or hdb database type because syncrepl works only with one of them.

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Adjust olcSpCheckpoint and olcSpSessionlog as you want.

Equivalence with slapd.conf :

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


3/ Add indexes for entryCSN and entryUUID :

on the node dn: olcDatabase={1}hdb,cn=config

olcDbIndex: entryCSN,entryUUID eq

Here are the options for syncprov translated in cn=config version :

syncprov-checkpoint -> olcSpCheckpoint
syncprov-sessionlog -> olcSpSessionlog
syncprov-nopresent -> olcSpNoPresent
syncprov-reloadhint -> olcSpReloadHint


On the consumer


Configuration of syncrepl :

On the node of your database configuration (for me : dn: olcDatabase={1}hdb,cn=config), add the following attribute and value :

olcSyncrepl: {0}rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

Equivalence with slapd.conf :

syncrepl rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

At this point, the provider directory could be replicated to the consumer directory in clear text. Verify that all work fine.


Using TLS/SSL

Prior to every TLS/SSL configuration of openldap server, add user « openldap » to « ssl-cert » group.

After, check that « openldap » user is able to read /etc/ssl/private/server.key file.

On the provider

Check if the provider is well configured for SSL or TLS connections.
To check SSL connection, launch this :

ldapsearch -H ldaps://provider.mydomain.net -x -W

To check TLS connection :

ldapsearch -H ldap://provider.mydomain.net -W -x -ZZ


On the consumer

* For SSL connection, in syncrepl configuration :
– change provider option to use ldaps:// instead of ldap://
– add these options :

tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* For TLS connection, in syncrepl configuration :
– keep provider option using ldap://
– add these options :

starttls=yes
tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* I got this error :

main: TLS init def ctx failed: -1

=> I had a look on http://readthefuckingmanual.net/2010/01 and my problem came from not following symbolic links, weird.

* I got this error :

main: TLS init def ctx failed: -207

=> It seems to be an error on checking SSL chain (have a look on this thread on Openldap list). I used certtool from GNUTLS package to create self signed certificate.

* I got this error :

main: TLS init def ctx failed: -69

=> remove the passphrase from the key.

Now, all work, but sometimes I have the error :

slap_client_connect: URI=ldaps://****.*****.net DN="cn=syncrepl,dc=*****.net" ldap_sasl_bind_s failed (-1)

and i don’t know if it’s critical. It seems to be not, it works again after.

———
Example of syncrepl which does work :

hdb_modify: updated id=00000032 dn="cn=*****,ou=users,dc=*****.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: syncrepl_entry: rid=000 be_modify cn=*****,ou=users,dc=*****.net (0)
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: =>do_syncrepl rid=000
slapd[19443]: =>do_syncrep2 rid=000
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: do_syncrep2: cookie=rid=000,csn=20100109013243.742646Z#000000#000#000000
slapd[19443]: slap_queue_csn: queing 0x7f0b4ab5f9c0 20100109013243.742646Z#000000#000#000000
slapd[19443]: hdb_modify: dc=******.net
slapd[19443]: bdb_dn2entry("dc=******.net")
slapd[19443]: bdb_modify_internal: 0x0000001d: dc=*****.net
slapd[19443]:  entry_encode(0x0000001d):
slapd[19443]: <= entry_encode(0x0000001d):
slapd[19443]: hdb_modify: updated id=0000001d dn="dc=******.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: slap_graduate_commit_csn: removing 0x7f0b4ab5fa00 20100109013243.742646Z#000000#000#000000

——–
If you have to control if slapd uses Gnutls or Openssl as a library :

# ldd $(which slapd)
        linux-vdso.so.1 =>  (0x00007fff2a318000)
        libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f103bb68000)
        liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f103b95a000)
        libdb-4.7.so => /usr/lib/libdb-4.7.so (0x00007f103b5f8000)
        libodbc.so.1 => /usr/lib/libodbc.so.1 (0x00007f103b398000)
        libslp.so.1 => /usr/lib/libslp.so.1 (0x00007f103b186000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f103af6c000)
        libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007f103acca000)  <=====
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f103aa91000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00007f103a878000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007f103a66e000)
        libwrap.so.0 => /lib/libwrap.so.0 (0x00007f103a463000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007f103a247000)
        libc.so.6 => /lib/libc.so.6 (0x00007f1039ed8000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1039cbe000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f1039aba000)
        libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f10398a9000)
        libz.so.1 => /lib/libz.so.1 (0x00007f1039692000)
        libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f103941a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f103bdb1000)
        libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f1039216000)

Edit : pay attention to /usr/local/etc/openldap/ldap.conf, used by ldapsearch and seems to make syncrepl working easier.
Find with « strace ldapsearch -b dc=mydomain.net -x -ZZ », ldapsearch does not use /etc/ldap/ldap.conf on Ubuntu 9.10 (Karmic).