Craig Worgan wrote:
Hi Howard,
I actually thought that my certificate was bad, until I went back to 2.3 with the same certificate and configuration and it worked fine. Quanah pointed out the new TLS related syncrepl options which, when I added them to my config, fixed the problem. Thing is, I pointed the syncrepl options to the same certificate I am using for the TLS* server certificate directives. I am using a compound certificate, so my TLS related config looks like this:
... TLSCertificateFile 0.pem TLSCACertificateFile 0.pem TLSCertificateKeyFile 0.pem
Combining the private and public elements of the certs into one file is not wise.
... syncrepl rid=983 provider=ldaps://myhost.nortel.com:10636 type=refreshAndPersist searchbase=dc=nortel,dc=com bindmethod=simple binddn=cn=someaccount,dc=nortel,dc=com credentials=secret retry="30 +" tls_cert=0.pem tls_cacert=0.pem tls_key=0.pem
In 2.4, if you configure syncrepl over TLS and omit the new options, does OpenLDAP use the values that are configured for the server certificate settings (TLS*), if any?
That's already explicitly stated in the slapd.conf(5) manpage.
If so, I'm confused as to why it failed for me originally.
I have no idea, it works for me.