Le 2017-06-02 17:46, r0m5 a écrit :

Le 2017-06-02 16:55, Quanah Gibson-Mount a écrit :

--On Friday, June 02, 2017 11:01 AM +0200 r0m5 <r0m5@r0m5.eu> wrote:

Hello,

I am facing an issue with syncrepl and STARTTLS on 389 port. The kind of
problem happening only sometimes, and disappearing "by itself". I use
Debian Jessie, OpenLDAP 2.4.40+dfsg-1+deb8u2.

2.4.40 is 2.5 years old, 5 point releases behind, and had significant known replication issues.  I believe there is a build of 2.4.44 in backports for Jessie.  I would advise using that instead.

As far as debug logging, you would need to use "-d -1" to slapd, rather than attempting to set the loglevel to -1, as some debug logging is only possible via the slapd daemon.  But your first step is to move to a current release.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Hello !

Thanks for your reply. I just upgraded the preproduction environment provider and consumers to the jessie-backports version. I will check the prod to preprod injections during the next days then let you know.

Have a good weekend !

 

Hello !

I upgraded to 2.4.44 but still had problems (less, though). So I used "-d -1" with slapd instead of olcLoglevel as you said then I noticed there was a problem with certificate validation even with using demand or allow for TLS reqcert in olcSyncrepl and in /etc/ldap/ldap.conf. I was at that time using self-signed certificates.

So I set up a PKI and now it looks OK regarding syncrepl. So I guess my problem might be related to ITS#8427, which I didn't see before posting here.

I still have issues though, with applications randomly failing STARTTLS to my consumers :-(

Regards,