I have two openLDAP
servers, each was setup side by side using a script that did all the heavy lifting, the two servers replicate their configs/users to each other, and for a long time I thought everything was working. Just discovered that one of the servers does not actually negotiate TLS
, so nothing can authenticate against it.
Both systems are RHEL 6.7
, both have been updated the exact same time in the exact same way since their creation. Each server should be 100% identical….
Using self signed certificates
If I(on the broken one): ldapsearch -ZZd 1 -D "cn=Manager,dc=example,dc=org" -w secret-b ""
TLS: loaded CA certificate file /etc/openldap/certs/ca-bundle.crt.
TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument
TLS: error: connect - force handshake failure: errno 22 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file
This makes me worry, because I don't believe I should be using Moznss, as I had trouble with the databases in my initial tests, so I'm hard linking to the ca-bundle.crt
, as well as server.key
and server.crt
, Which again, works fine in my other server.
on the other hand, if i:openssl s_client -connect server1:636 -cert server.crt -key server.key
CONNECTED(00000003)
140398252824392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Which again, on my other server, produces good results, verifying the key.
Both errors, at least based on some searches, hint that it is related to the moznss
database, but I cant figure out a) Why one is an issue and the other isn't, and b) How to either resolve the issue, or bypass the issue.
If anyone has any further troubleshooting idea's, or potential solutions, i'd be greatly appreciative.
Best Answer
Verify that the olcTLS*File directives in
cn=config
point to real files.Check your logs. By default CentOS doesn't log for
slapd
.slapd
defaults to faciltyLOCAL4
at severityDEBUG
. You can either edit/etc/sysconfig/slapd
or your modify syslog configuration.Don't forget to modify
cn=config
'solcLogLevel
.olcLogLevel: Config
is probably the most relevant.man slapd-config
has more details.