So I figured out that I have to escape the url with % signs. I had it working without them when I tested TLS before.

ex.: sudo ldapsearch -x -H ldap:///%e%x%a%m%p%l%e%.%c%o%m -D cn=admin,dc=example,dc=com -W -ZZ

Weird. I’d try it in the config file if I could figure out how without blowing up the server.

–peace out.

OK. Live and learn. Now that TLS works, I floundered updating the replication piece. I tried updating the config database, but apparently, I was slightly off. Looking at the update file that I created from the tutorial, it looks like I should be able to re-run it. I thought it would just replace the olcSyncRepl line, but no dice. It gives a message that it is updating, and then hangs. If I control -c and get back to the command prompt, it hangs if I try to do an ldapsearch. If I control -c and then /etc/init.d/slapd restart, I can ldapsearch again and see that it didn’t update the config. Being a clever fellow, I went to the other server figuring that if I got it right, it would replicate. I didn’t get it right. Same behavior when I try to re-run the file.

Do you by chance know how to delete the syncrepl bit so that I can keep trying to get it right? Here’s what the file looks like:

dn: olcDatabase={0}config,cn=config
replace: olcSyncrepl
olcSyncrepl: {0}rid=001 provider=ldap:///www.example.info binddn=”cn=admin,cn
=config” bindmethod=simple credentials=password searchbase=”cn=config” type=refreshAndPersist retry=”5 5 300 5″ timeout=1 starttls=yes
olcSyncrepl: {1}rid=002 provider=ldap:///casserver.example.info binddn=”cn=admin,cn
=config” bindmethod=simple credentials=password searchbase=”cn=config” type=refreshAndPersist retry=”5 5 300 5″ timeout=1 starttls=yes

BTW, in case you notice, I have an example.info domain where my servers are running, but my ldap is setup as cn=example,cn=com because I have that domain also.

Thanks for all your help. I hope this can help others. Openldap is hard.
Paul

Thanks again.

P.S. You are definitely still a hero!

Just so we can establish a base for what is causing the error:
Where is the error message appearing? Apache logs? Sugar? OpenLdap? Does apache work ok with all of the TLS and certificates diasbled?
Does the rails app authenticate too? Are there any errors posted there too?

As for the certificates, it should not matter which machine has done the signing, just what cert was signed with what cert. I only have one CA on one machine that I generate all off my host certificates with.

http://www.tc.umn.edu/~brams006/selfsign.html

I created the server.key and .csr and .crt for the same server that was running the CA. I signed that certificate with my CA. Next, I logged onto my machine running Sugarcrm and generated the server.key and .csr there. Next, I sftp’ed the .csr to the first machine running the CA. I created that .crt and sftp’ed back. I copied the CA root certificate ca.crt to /etc/ssl/certs on both machines. I installed each .crt to their respective /etc/ssl/certs, and then I copied both to each trying to get it to work.

> But following the Ubuntu Server Guide for setting up a CA you should end up with
> certificates signed by your CA certificate. Not self signed.

There was actually a discussion about this in the thread that I linked to in my prior post. It says that ultimately there has to be a root certificate self-signed in the chain somewhere, even from Thawte or verisign. I think it’s a real live instance of Russell’s Paradox. You know the one, about the barber that only shaves barbers that don’t shave themselves. Does he shave himself?

Enough with the math. May be my problem is that I have a certificate generated and signed on the same machine as the CA ???????? I made sure to give different common names to the CA and the certificate by appending ‘CA’ to the end of the CA, as per the tutorial that I linked to above.

Here’s the relevant portion of my vhost file on the server running the CA [and rails app]:

ServerAdmin hamann_paul@yahoo.com
ServerName 192.168.0.3
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt

Here’s the relevant portion of the vhost on the server running Sugar:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/hoth.crt ## hoth is the name of the server
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt

Here’s the error message again:
at depth 1 – 19: self signed certificate in certificate chain

My thinking was that it would be easier to get ssl working with these two apps and then try openldap and TLS. It hasn’t worked out so far : (

Cheers! P

But following the Ubuntu Server Guide for setting up a CA you should end up with certificates signed by your CA certificate. Not self signed.

It also depends on weather the error in Apache is coming from the SugarCRM or OpenLDAP directives too.

You could also try turning of TLS certificate checking in /etc/ldap/ldap.conf by adding ‘TLS_REQCERT allow’. That is as long as Apache respects that file, otherwise there may be other options in apache you can try.

Sorry I can’t be of more help.

at depth 1 – 19: self signed certificate in certificate chain

I found this explanation when I googled the above error message, regarding OpenLdap, no less.

############
>OpenLDAP expects you to use a server certificate that is different from the
>certificate of the issueing CA.

Incorrect.

You simply need to configure the client to accept the
server’s certificate as valid by setting the CA file
to a copy of the server’s certificate.
################

I would be mighty obliged if you could tell me what “setting the CA file
to a copy of the server’s certificate.” means. I already tried the Ubuntu certificate management thingy that you did above. No joy.

And for anyone trying to use a self signed certificate with OpenLdap, the thread that I quoted above can be found here: http://marc.info/?l=openldap-software&m=112585726028819&w=2

It’s a pretty in-depth discussion with some of the core ldap contributors.

Thanks for any help!
Paul

sudo ldapsearch -x -H ldap://12.34.56.78:389 -D cn=admin,cn=config -w secret

and

sudo ldapsearch -x -H ldap://12.34.56.78:389 -D cn=admin,dc=example,dc=com -w secret

It actually took me awhile to get those working. I played with the /etc/ldap/ldap.conf and /etc/default/slapd files.

Now get this. I had just given up on replication. I was gathering some details on my configuration to add to this post. I noticed the olcDbIndex that you were kind enough to post. So I said hey, this guy is smarter than me. Now that I know how to delete, why don’t I just copy what he’s got. And sure enough.

That son of a bitch started working!!!!!!!!!!!!!!!!!!!!!

You are an absolute hero. Until I try TLS at least.

Regards,
paul

I can generate the error by shutting down either slapd daemon. My suggestion is that one one part of your replication setup has an error. If you have two daemons then there are four parts that could contain the error. cn=config, there and back, and dc=example,dc=com, there and back. My guess would be in one of the dc=example,dc=com and on the server that you are getting the error from.

Also try the exercise of actually testing the replication on each section in each direction.

It took a fair while for me to work out where my replication problems were once I introduced TLS replication.

Have you had anything like the following filling up your syslog’s?

Apr 21 22:38:18 ldap3 slapd[5328]: connection_read(28): no connection!
Apr 21 22:38:58 ldap3 last message repeated 2 times
Apr 21 22:40:08 ldap3 last message repeated 4 times

I get it with the same setup (Ubuntu 8.10) and can’t seem to find out why it’s happening. Replication is working great :S