OpenLDAP – Fixing TLS Error in Master/Slave Replication Configuration

I am trying to add a TLS secured replication between a master and a slave ldap server. The replication without TLS work well.

I encounter this error from the slave : slapd_client_connect: URI=ldap://master.domain.com Error, ldap_start_tls failed (-11)

Here is my configuration :

----- Master -----
/etc/ldap/ldap.conf
  URI            ldap://master.domain.com/
  TLS_CACERT     /etc/ssl/cacert.pem
  TLS_REQCERT    demand

/etc/ldap/slapd.d/cn=config.ldif
  olcTLSCertificateKeyFile: /etc/ssl/master-key.pem
  olcTLSCertificateFile: /etc/ssl/master-cert.pem

----- Slave -----
/etc/ldap/ldap.conf
  URI            ldap://slave.domain.com/
  TLS_CACERT     /etc/ssl/cacert.pem
  TLS_REQCERT    demand

/etc/ldap/slapd.d/cn=config.ldif
  olcTLSCertificateKeyFile: /etc/ssl/slave-key.pem
  olcTLSCertificateFile: /etc/ssl/slave-cert.pem

/etc/ldap/slapd.d/cn=config/olcDatabase{1}mdb.ldif
  olcSyncrepl: rid=001, provider=ldap://master.domain.com binddn="cn=readonly,ou=users,dc=master,dc=domain,dc=com" bindmethod=simple credentials="mypass" searchbase="dc=master,dc=domain,dc=com" type=refreshAndPersist timeout=0 network-timeout=0 retry="60 +" starttls=critical tls_reqcert=demand

This is what I already checked / tryed :

The certificates on both server are owned by the user openldap
The fingerprint of cacert.pem on both server are the same
The expiration date of the certificates are good
The cn in the cacert.pem is equal to the cn of the master server
The slave can use the following command to search on the master : ldapsearch -ZZ -x -H master.domain.com -b "ou=groups,dc=master,dc=domain,dc=com"
Changing the slave olcTLS value to use the master certificates
Using ldaps:// instead of ldap:// + starttls (ldapsearch -ZZ -H ldaps:// was working)

After some research on internet, it often talk about the CA certificate (either the cn in it, the owner of the file, …) but I already checked theses cases.

Do you have an idea where the problem come from ?

----- Master ----- /etc/ldap/slapd.d/cn=config.ldif olcTLSCACertificateFile: /etc/ssl/cacert.pem olcTLSCertificateKeyFile: /etc/ssl/master-key.pem olcTLSCertificateFile: /etc/ssl/master-cert.pem

Best Answer

Contrary to what I read on multiple tutorials, we need to configure the CA file in the olcTLS variables even if we are using self-signed certificate.

I belive the /etc/ldap/ldap.conf file is not read as OpenLDAP now work with the slapd.d folder with a "new" system of configuration.

This is the configuration I endend up doing to activate TLS for the master/slave replication :

----- Slave -----
/etc/ldap/slapd.d/cn=config.ldif
  olcTLSCACertificateFile: /etc/ssl/cacert.pem
  olcTLSCertificateKeyFile: /etc/ssl/slave-key.pem
  olcTLSCertificateFile: /etc/ssl/slave-cert.pem

Note :

The slave certificate need to have it's own cn in it
If you encounter the mods check (objectClass: value #2 invalid per syntax) error, the slave miss some schema loaded on the master

Best Answer

Related Solutions

Debian – OpenLDAP with ldaps support on Debian Lenny

Ssl – How to set CA cert file for LDAP backend server in smbpasswd configuration

Related Topic