Dirk Kastens wrote:

Hi,

...

How about running ldapsearch with -d7, and also the corresponding search against back-meta using slapd -d7. Upload the output somewhere that we can review.

See ftp.openldap.org/incoming/...

You will find the following files:

ldapsearch_direct: directly searching the source server with ssl

ldapsearch_meta_starttls: searching the meta directory where the source server is connected via starttls (this works)

ldapsearch_meta_ssl: searching the meta directory where the source server is connected via ssl (this doesn't work)

slapd_meta_starttls: meta directory where the source server is connected via starttls (this works)

slapd_meta_ssl: meta directory where the source server is connected via ssl (this doesn't work). slapd hangs after searching and has to be killed with "kill -4".

Hope this helps.

I wasn't able to exactly reproduce the problem shown in your logs, but I did find a couple of problems here. For ldaps:// URLs, the back-meta config parser was ignoring the TLS settings. As such, it wasn't able to establish any ldaps session at all, unless there were usable settings in ldap.conf/ldaprc/etc... Also, back-meta was specifying that libldap should open its outbound connections asynchronously, and this wasn't working properly if the async connection succeeded immediately. (I.e., when told to open async, libldap would expect the connection to take a long time to complete, and defer the rest of initialization to a following library call. If it completed immediately, libldap would mis-handle the rest of initialization.)

I've pushed fixes for both of these problems to git master and back-meta works on ldaps:// for me now. Since I didn't reproduce your symptoms, I have no idea if this will improve things for you or not. Please test and follow up, thanks.