[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Single-master replication over TLS fails in 2.4.15



Craig Worgan wrote:
Hi Howard,

I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine.  Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem.  Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:

...
TLSCertificateFile 0.pem
TLSCACertificateFile 0.pem
TLSCertificateKeyFile 0.pem

Combining the private and public elements of the certs into one file is not wise.

...
syncrepl rid=983
  provider=ldaps://myhost.nortel.com:10636
  type=refreshAndPersist
  searchbase=dc=nortel,dc=com
  bindmethod=simple
  binddn=cn=someaccount,dc=nortel,dc=com
  credentials=secret
  retry="30 +"
  tls_cert=0.pem
  tls_cacert=0.pem
  tls_key=0.pem

In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any?

That's already explicitly stated in the slapd.conf(5) manpage.

If so, I'm confused as to why it
failed for me originally.

I have no idea, it works for me.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/