A short time ago, at a computer terminal not so far away, Harry Rüter wrote: >Replication with 2.1.3. > >I always get the same error with slurpd : > >---snipp--- >TLS certificate verification: Error, self signed certificate in >certificate chain >TLS trace: SSL3 alert write:fatal:unknown CA >---snipp--- > >So, i see what's the problem, slurpd doesn't like >selfsigned certificates. >---schnipp--- >TLSCertificateFile /etc/certificates/486dx66.crt >TLSCertificateKeyFile /etc/certificates/486dx66.key >TLSCACertificateFile /etc/certificates/CA.crt >---schnipp--- We ran into something similar recently upgrading from 2.0.x to 2.1.3. Our master and replica each have an SSL cert signed by a local CA. For slurpd to be able to connect via SSL to the replica, it needs to know that it can trust the CA that signed the replica's server cert. We have this specified in slapd.conf, but it looks like slurpd doesn't read this info from slapd.conf. Instead, we had to specify this in ldap.conf on our master server, ie: TLS_CACERTDIR /usr/local/ssl/certs You can also specify just the filename for the CA cert with "TLS_CACERT". We didn't have this in ldap.conf when using 2.0.x, and replication seemed to work, so I'm guessing this is something that changed with 2.1.x. -- Will Day Those who would give up essential Liberty, to @rom.oit.gatech.edu purchase a little temporary Safety, deserve neither O&E / Tech Support Liberty nor Safety. UNIX System Programmer - Benjamin Franklin, Penn. Assembly, Nov. 11, 1755 -> Opinions expressed are mine alone and do not reflect OIT policy <-
Attachment:
pgphNkh3VqvFo.pgp
Description: PGP signature