1

I have two openLDAP servers, each was setup side by side using a script that did all the heavy lifting, the two servers replicate their configs/users to each other, and for a long time I thought everything was working. Just discovered that one of the servers does not actually negotiate TLS, so nothing can authenticate against it.

Both systems are RHEL 6.7, both have been updated the exact same time in the exact same way since their creation. Each server should be 100% identical....

Using self signed certificates

If I(on the broken one): ldapsearch -ZZd 1 -D "cn=Manager,dc=example,dc=org" -w secret-b ""

TLS: loaded CA certificate file /etc/openldap/certs/ca-bundle.crt. TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument TLS: error: connect - force handshake failure: errno 22 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file

This makes me worry, because I don't believe I should be using Moznss, as I had trouble with the databases in my initial tests, so I'm hard linking to the ca-bundle.crt, as well as server.key and server.crt, Which again, works fine in my other server.

on the other hand, if i:openssl s_client -connect server1:636 -cert server.crt -key server.key

CONNECTED(00000003) 140398252824392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

Which again, on my other server, produces good results, verifying the key.

Both errors, at least based on some searches, hint that it is related to the moznss database, but I cant figure out a) Why one is an issue and the other isn't, and b) How to either resolve the issue, or bypass the issue.

If anyone has any further troubleshooting idea's, or potential solutions, i'd be greatly appreciative.

Improve this question

1 Answer 1

Reset to default
4

  1. Verify that the olcTLS*File directives in cn=config point to real files. 

    olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt olcTLSCertificateFile: /etc/pki/tls/certs/server.example.com.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/server.example.com.key

  2. Check your logs. By default CentOS doesn't log for slapd. slapd defaults to facilty LOCAL4 at severity DEBUG. You can either edit /etc/sysconfig/slapd or your modify syslog configuration.

    # cat /etc/rsyslog.d/slapd.conf local4.* /var/log/slapd.log

    Don't forget to modify cn=config's olcLogLevel.
    olcLogLevel: Config is probably the most relevant. man slapd-config has more details.

Improve this answer
1
  • I thought that for ldapsearch the old ldap.conf file overwrote the settings in the cn=config, so I was using that as a test case... Apparently my ldifs were pointing to moznss still...Weird thing is BOTH serveres were wrong, but one was working anyway. Thank you. Commented Apr 18, 2016 at 22:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.