Open fager opened 2 years ago
We suspect that the server is behaving as expected, we need more information to determine if this is a bug, RFE or misconfiguration.
@fager, do I understand correctly that you mean that 'tls_cacertdir' local path to CA certificate should be taken into account in the 'replication monitor' operation?
@droideck, i try to explain this a bit more detailed...
The ldap-connection in lib389 requires the tls_cacertdir as described in man 5 ldap.conf (TLS_CACERTDIR) to verify the Server-Cert from the target instance.
There are two possibe ways for the connection configuration in the .dsrc file:
As far as i could read from the python code, there is no default-way to set tls_cacertdir for the connection entries in the repl-monitor-connection section. lib389 has "somewere" (i could find it) a fallback value of "/etc/dirsrv/slapd-template" for the tls_cacertdir setting:
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
Because the "/etc/dirsrv/slapd-template" directory does not exist the lib389 connection is unable to validate the peer-certificate.
A default Instance installation has the necessary files in the main configuration directory:
18a51399.0 -> ca.crt
61031c04.0 -> Server-Cert.crt
ca.crt
Server-Cert.crt
A possible solution may be to change the default-value for tls_cacertdir from "/etc/dirsrv/slapd-template" to "/etc/dirsrv/slapd-$INSTANCE_NAME" or to allow a default-section in the .dsrc file to set the tls_cacertdir for all connections.
Found some related Issues/BZ:
Issue Description "dsconf replication monitor" does not show remote status informations when repl-agmt are created with --conn-protocol=ldaps.
Package Version and Platform:
(other versions not tested yet)
Steps to Reproduce Steps to reproduce the behavior:
Expected results Replication status informations for all repl-agmt on all instances
Screenshots
Own instance data is displayed as expected.
Data for all other instances is missing:
Debug-Output from "dsconf -vvv ...":
Additional context The tls_cacertdir setting in dsrc is only valid for the local instance-sections.
All repl-monitor-connections connections are initialized with empty defaults and only the host, port, bind-user and bind-password fields can be set.
As alll replication partners must work with server-certificates from the same ca the normal tls context from /etc/dirsrv/slapd-/ should work for the replication monitor.
As soon as i create /etc/dirsrv/slapd-template and put required certificates (with c_rehash) in there, the dsconf output is as expected.