I am trying to add a TLS secured replication between a master and a slave ldap server. The replication without TLS work well.
I encounter this error from the slave : slapd_client_connect: URI=ldap://master.domain.com Error, ldap_start_tls failed (-11)
Here is my configuration :
----- Master -----
/etc/ldap/ldap.conf
URI ldap://master.domain.com/
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT demand
/etc/ldap/slapd.d/cn=config.ldif
olcTLSCertificateKeyFile: /etc/ssl/master-key.pem
olcTLSCertificateFile: /etc/ssl/master-cert.pem
----- Slave -----
/etc/ldap/ldap.conf
URI ldap://slave.domain.com/
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT demand
/etc/ldap/slapd.d/cn=config.ldif
olcTLSCertificateKeyFile: /etc/ssl/slave-key.pem
olcTLSCertificateFile: /etc/ssl/slave-cert.pem
/etc/ldap/slapd.d/cn=config/olcDatabase{1}mdb.ldif
olcSyncrepl: rid=001, provider=ldap://master.domain.com binddn="cn=readonly,ou=users,dc=master,dc=domain,dc=com" bindmethod=simple credentials="mypass" searchbase="dc=master,dc=domain,dc=com" type=refreshAndPersist timeout=0 network-timeout=0 retry="60 +" starttls=critical tls_reqcert=demand
This is what I already checked / tryed :
- The certificates on both server are owned by the user
openldap
- The fingerprint of cacert.pem on both server are the same
- The expiration date of the certificates are good
- The cn in the cacert.pem is equal to the cn of the master server
- The slave can use the following command to search on the master :
ldapsearch -ZZ -x -H master.domain.com -b "ou=groups,dc=master,dc=domain,dc=com"
- Changing the slave
olcTLS value to use the master certificates
- Using
ldaps:// instead of ldap:// + starttls (ldapsearch -ZZ -H ldaps:// was working)
After some research on internet, it often talk about the CA certificate (either the cn in it, the owner of the file, ...) but I already checked theses cases.
Do you have an idea where the problem come from ?
