Angela Gavazzi wrote:
Am Dienstag, 6. März 2007 19:08 schrieb Pierangelo Masarati:
Angela Gavazzi wrote:
I found out that the problem was double encrypting of the connection:
What does it mean "double encrypting of the connection"?
I mean that if I "force" encryption with demand on the provider and on the consumer, then I think the consumer tries to encrypt an encrypted connection. When I use allow on the consumer it works and is encryptet, I checked it with tcpdump.
It seems you haven't read the Admin Guide or the manpages. The TLSVerifyClient setting doesn't affect the encryption at all. It only controls whether the server will check for a client certificate.
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
This makes much more sense: your TLS configuration is broken. Are you using a self-signed certificate? Or, is your certificate signed by the CA to whom the certificate pointed by TLSCACertificateFile belongs?
The certificate is signed by the CA pointed by TLSCACertficateFile.
In OpenLDAP 2.3 and older, you must also configure TLS_CACERT in the ldap.conf (or ldaprc) file on any servers that make outbound connections. In OpenLDAP 2.4 you can configure it explicitly in the syncrepl consumer configuration.