how can make slave use tls to connect to master for syncrepl

[zhong ming wu <mr.z.m.wu@gmail.com>]

Hello

I am using version 2.4 and in the process of setting up a master/slave
pair using syncrepl.

This is working as expected if I don't have enforce security and
confidentiality with "security ssf=128" global directive in the
master.
As soon as I turn it on, replication stops working.

It seems that the slave consumer is not using TLS to connect to
master. However I can use 'ldapsearch'  with '-ZZ' option to connect
to master from slave and get all records I want.

On my slave machine, I also have the following directive

  TLS_CACERT /etc/pki/tls/certs/ca.crt.crl

in ldap.conf

Notice that without this line 'ldapXXX' commands with '-ZZ' fails from
slave to master.  This confirms that at least 'ldap.conf' is in the
correct location at least as far as 'ldapXXX' commands are concerned.

Can someone point me in the right direction?  I have read many
chapters on this page

http://www.openldap.org/doc/admin24/index.html

Both slave and master are on centos 6.2 and openldap software is
standard centos rpm.

Here are the log entries on the master when slave fails to bind with TLS

May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 ACCEPT from
IP=192.168.0.2:41083 (IP=0.0.0.0:389)
May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 BIND
dn="cn=root,dc=example,dc=com" method=128
May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 RESULT tag=97 err=13
text=confidentiality required
May 27 22:14:53 cat slapd[2456]: conn=1000 op=1 UNBIND
May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 closed

Sincerely

Mr Wu