atom feed30 messages in org.openldap.openldap-softwarefailover config: servers with same DN...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:51 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:53 am 
Emmanuel DreyfusJul 25, 2007 9:07 am 
Quanah Gibson-MountJul 25, 2007 9:48 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:47 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:39 pm 
Howard ChuJul 25, 2007 2:45 pm 
Russ AllberyJul 25, 2007 2:46 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:18 pm 
Ralf HaferkampJul 26, 2007 1:28 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:39 am 
Ralf HaferkampJul 26, 2007 11:47 am 
Howard ChuJul 27, 2007 2:14 am 
Subject:failover config: servers with same DNS address and TLS, subjectAltName extension
From:Emmanuel Dreyfus (
Date:Jul 23, 2007 6:51:19 am

For future reference, here is what I had to do to get multiple LDAP servers answering on the same DNS address and using TLS.

The DNS contains this records: srv1 IN A srv2 IN A ldap 1 IN A ldap 1 IN A

The clients have this in ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt URI ldaps:// TLS_REQCERT demand # Cannot get this working! #TLS_CRLCHECK peer

# For login/password over TLS SASL_MECH PLAIN SASL_SECPROPS none

In order to have this working, we need x509 certificate that have the subjectAltName extension. This is not an OpenLDAP-specific problem, but the information about how to do it seems difficult to find, hence, here is the result of my experiments.

1) Creating a CSR On the LDAP servers, we need to setup OpenSSL for generating the certificate request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf: req_extensions = v3_req

The, we need a [ v3_req ] section: [ v3_req ] basicConstraints = CA:FALSE subjectAltName = ","

It seems the subjectAltName has to be set in the config file. I found no way to have it prompted by the openssl command.

If you don't have a private key yet, generate it: # ( umask 077; openssl genrsa > /etc/openssl/private/srv1.key )

Next, make the CSR: # openssl req -new -key /etc/openssl/private/srv1.key -out srv1.csr Answers to the questions openssl ask. The common name is

Of course the same must be done on srv2

2) Signing the certificate On the machine that holds your certificate authority, some setup is also needed in openssl.cnf:

In the [ CA_default ] section (or in [ ca ]), copy_extensions = copy

Note that this will copy any extensions, so you have to be careful about what you are signing. See the WARNINGS section of openssl_ca.

Sign it (I assume your CA setup already work, here) # openssl ca -key /etc/openssl/private/ca.crt -in srv1.csr -out src1.crt # openssl ca -key /etc/openssl/private/ca.crt -in srv2.csr -out src2.crt

3) Configuring slapd Install ca.crt and srv1.crt (srv2.crt) on srv1 (srv2), and configure slapd, with this in slapd.conf: TLSCertificateFile /etc/openssl/certs/srv1.crt TLSCertificateKeyFile /etc/openssl/private/srv1.key TLSCACertificateFile /etc/openssl/certs/ca.crt TLSVerifyClient allow sasl-secprops none

Then, restart slapd, and the thing should work.

4) Having this working with syncrepl

An add-on: now let's imagine srv1 and srv2 are syncrepl-powered replica. The master is In order to avoid pushing sensitive data to a rogue machine that would claim being a replica, we want to use client and server TLS certificate authentication for syncrepl exchange.

Note that on the consumer, the same certificate must be used for syncrepl and for the ldaps:// service. This is alimitation in OpenLDAP 2.3.x

4.1) On the syncrepl consumer (srv1 and srv2), in slapd.conf: syncrepl rid=24 type=refreshAndPersist searchbase="dc=example,dc=net" starttls=critical bindmethod=sasl saslmech=EXTERNAL retry=3,1,10,2,60,+

Make sure rid is different on srv1 and srv2. Don't forget to add entryUUID and entryCSN to the index of your databases (see

4.2) On the syncrepl producer (ldap0), in slapd.conf: TLSCertificateFile /etc/openssl/certs/ldao0.crt TLSCertificateKeyFile /etc/openssl/private/ldap0.crt TLSCACertificateFile /etc/openssl/certs/ca.crt TLSVerifyClient allow

# This allows login/password protected by TLS (for users) sasl-secprops none

overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100

# ACL to allow syncrepl consumer to get userPassword through TLS session # while regular users will not be able to see them access to attrs=userPassword by anonymous auth by self write by dn.regex="" read by dn.regex="" read by * none

access to * by * read