OpenLDAP mirror mode replication failing with TLS behind a load balancer
Posted
by
Lynn Owens
on Server Fault
See other posts from Server Fault
or by Lynn Owens
Published on 2012-12-02T03:14:34Z
Indexed on
2012/12/02
5:07 UTC
Read the original article
Hit count: 852
I have two OpenLDAP servers that are both running TLS. They are:
ldap1.mydomain.com
ldap2.mydomain.com
I also have a load balancer cluster with a dns name of it's own:
ldap.mydomain.com
The SSL certificate has a CN of ldap.mydomain.com, with SANs of ldap1.mydomain.com and ldap2.mydomain.com.
Everything works... Except mirror mode replication.
My mirror mode replication is setup like this:
ldap.conf
TLS_REQCERT allow
cn=config.ldif
olcServerID: 1 ldap://ldap1.mydomain.com
olcServerID: 2 ldap://ldap2.mydomain.com
On ldap1, olcDatabase{1}hdb.ldif
olcMirrorMode: TRUE
olcSyncrepl: {0}rid=001 provider=ldap://ldap2.mydomain.com bindmethod=simple bindmethod=simple binddn="cn=me,dc=mydomain,dc=com" credentials="REDACTED" starttls=yes searchbase="dc=mydomain,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
On ldap2, olcDatabase{1}hdb.ldif
olcMirrorMode: TRUE
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.mydomain.com bindmethod=simple bindmethod=simple binddn="cn=me,dc=mydomain,dc=com" credentials="REDACTED" starttls=yes searchbase="dc=mydomain,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
Here's the errors I'm getting in syslog:
Dec 1 21:05:01 ldap1 slapd[6800]: slap_client_connect: URI=ldap://ldap2.mydomain.com DN="cn=me,dc=mydomain,dc=com" ldap_sasl_bind_s failed (-1)
Dec 1 21:05:01 ldap1 slapd[6800]: do_syncrepl: rid=001 rc -1 retrying
Dec 1 21:05:08 ldap1 slapd[6800]: conn=1111 fd=20 ACCEPT from IP=ldap.mydomain.com:2295 (IP=ldap1.mydomain.com:636)
Dec 1 21:05:08 ldap1 slapd[6800]: conn=1111 fd=20 closed (TLS negotiation failure)
Any ideas? I've been working on OpenLdap for way too long now.
© Server Fault or respective owner
