Paul B. Henson wrote:
Finally, I ended up having to disable TLS on the replica and temporarily allow plaintext authentication on the master.
Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.
On reviewing the packet capture, it was immediately obvious that the search Was failing with a protocol error because derefAliases was set to always. A quick Google search indicated that other people have had a similar problem, generally because they changed the global LDAP configuration file.
Indeed, I had switched to NFS home directories with the auto mounter, and LDAP integration for my deployment required dereferencing aliases by the auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf, which is being inherited by slapd.
It would be useful if replication failure provided better error messages; something in the logs indicating that a protocol error had occurred because of an invalid dereferencing setting would have saved me a lot of time.
If you want suggestions to actually get acted on, submit an ITS.
Also, if alias dereferencing is not valid for a syncrepl query, shouldn't the server simply override that setting from the global configuration and do the right thing?
Ditto.
In any case, I find myself stuck: the auto mounter requires alias dereferencing in order to work; while slapd requires alias dereferencing disabled.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
Re-read ldap.conf(5). There are other choices as well.