[EdLUG] OpenLDAP slap client and/or syncrepl error

CAIRNEY Mark Mark.Cairney at ed.ac.uk
Fri May 20 21:40:50 UTC 2022 

Hi,
It’s been a while since I looked at OpenLDAPs certs (and it’s behavior differs slightly depending on which SSL lib it was linked against). I think Debian linked against openssl though. The TLSCACert should point to a bundle containing all the roots and intermediates of any certs in okay (it’s not fussy about order but needs the full set. It’s more of a trust store than a cert chain in that respect). The other thing is ensuring that the server cert has the correct FQDNs in it. We have a common cert with all the server CNs as Subject AltNames to ensure consistency.
This is all dredged from memory, as you can guess from the sig I’m not currently sitting in front of an LDAP Server to confirm! ;)

Sent from my iPhone

On 20 May 2022, at 20:50, Tahir Hafiz <tahir.hafiz at gmail.com> wrote:


This email was sent to you by someone outside the University.
You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
Thanks Mark, I realised I never restarted slapd on the sso2 ldap box when I renewed the certs there and this what I see upon restarting the slapd service:

May 20 19:35:36 sso2 slapd[17605]: slapd starting
May 20 19:35:36 sso2 slapd[17605]: slap_client_connect: URI=ldaps://sso1.redacted.net/<http://sso1.redacted.net/> TLS context initialization failed (-1)
May 20 19:35:36 sso2 slapd[17605]: do_syncrepl: rid=001 rc -1 retrying (4 retries left)
May 20 19:35:36 sso2 slapd[17605]: slap_client_connect: URI=ldaps://sso1.redacted.net/<http://sso1.redacted.net/> DN="cn=admin,dc=redacted,dc=net" ldap_sasl_bind_s failed (-1)
May 20 19:35:36 sso2 slapd[17605]: do_syncrepl: rid=004 rc -1 retrying (4 retries left)

And on the sso1 ldap box I still see this upon restarting slapd there:

May 20 19:36:26 sso1 slapd[16803]: slapd starting
May 20 19:36:26 sso1 slapd[16803]: slap_client_connect: URI=ldaps://sso2.redacted.net/<http://sso2.redacted.net/> TLS context initialization failed (-1)
May 20 19:36:26 sso1 slapd[16803]: do_syncrepl: rid=002 rc -1 retrying (4 retries left)
May 20 19:36:32 sso1 slapd[16803]: SASL [conn=1001] Failure: no secret in database

So sso2 ldap box seems to be doing a bit better (one less error).
Is there a way I can troubleshoot which certificates in the chain are causing the issue - like some interesting commands?
I will try and look at the SASL config too to see where the secret is missing.

Unfortunately, these seem to be quite dated Ubuntu 14 boxes.

Thank you!

On Fri, May 20, 2022 at 7:49 PM CAIRNEY Mark <Mark.Cairney at ed.ac.uk<mailto:Mark.Cairney at ed.ac.uk>> wrote:
Hi,
I think there are 2 issues at play
1. The certs/CA isn’t right on one of the servers (hence the TLS errors) do the syncrepl bind is failing.
2. It looks like SASL can’t find a password entry for the user in the bind attempt. Might be worth checking your SASL config to ensure the mechanisms you expect are available and your authzregexp is set up correctly.

Sent from my iPhone

On 20 May 2022, at 18:56, Tahir Hafiz <tahir.hafiz at gmail.com<mailto:tahir.hafiz at gmail.com>> wrote:


This email was sent to you by someone outside the University.
You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
Hi,

We have two OpenLDAP servers (sso1 and sso2, ignore alpha - that one I think they decommissioned it years ago).
sso1 and sso2 are meant to be in mirror mode (sometimes called multi-master mode).
I had to switch sso1 off a while ago because it was no longer responding and didn't have much time to look at it back then.

I have now had some spare time to look at it, updated the web certs which had to be renewed and restarted the openldap server in question.
But I see the following error (and Google has not helped much on this one):

May 20 16:11:44 sso1 slapd[9008]: slapd starting
May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://alpha.redacted.net/<http://alpha.redacted.net/> TLS context initialization failed (-1)
May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=003 rc -1 retrying (4 retries left)
May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://sso2.redacted.net/<http://sso2.redacted.net/> TLS context initialization failed (-1)
May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=002 rc -1 retrying (4 retries left)
May 20 16:12:13 sso1 slapd[9008]: SASL [conn=1001] Failure: no secret in database

The weird thing is the OpenLDAP sso1 box is synching to sso2 ldap box, and I can connect to it with an ldap client on my home desktop and it now has the latest records so it is working as an ldap server but I'm not sure what the errors really mean.
Are there any avenues I can explore on this or has anyone seen something like this before (N.B. I am no ldap expert) ?

Thanking you in advance,
Tahir
--
EdLUG mailing list
EdLUG at mailman.lug.org.uk<mailto:EdLUG at mailman.lug.org.uk>
https://lists.edlug.org.uk/mailman/listinfo/edlug
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
--
EdLUG mailing list
EdLUG at mailman.lug.org.uk<mailto:EdLUG at mailman.lug.org.uk>
https://lists.edlug.org.uk/mailman/listinfo/edlug
--
EdLUG mailing list
EdLUG at mailman.lug.org.uk
https://lists.edlug.org.uk/mailman/listinfo/edlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20220520/e5627947/attachment-0003.htm>

More information about the EdLUG mailing list