Ralf Zimmermann r.zimmermann@siegnetz.de writes:
Hi all,
I think I have a problem with the overlay chain and tls. We have one physical master and two slaves in VMware Vsphere4. Our configuration runs normally fine, but sometimes we can't modify entries like passwords to the master. Then we must restart the slapd at the slaves. After restarting slapd all works fine. Then slapd works fine the wholy day. We can change entries or set passwords on the slaves. Next morning we must restart the slapd again, because we can't modify entries from the slaves. But we can query the slapd and syncrepl works fine. Only things over the overlay chains doesn't work. I have the problem not only with Version 2.4.20. I tested more Versions and actually 2.4.21 from pysically hardware.
If I can't set entries on the slave I don't see any tcp packets from the slave to the master. DNS, time and so on looks fine and everything else is working. And if we restart slapd everything is working. Does anybody know what is going wrong and if there exits a workaround. I read some things abount /dev/random, /dev/urandom and kernel 2.6 in VMware. Can this be the problem?
Here the overlay chain configuration.
<snip slapd.conf> overlay chain chain-uri "ldap://eisenherz.camelot.de/" chain-idassert-bind bindmethod=simple binddn="cn=ldapadmin,dc=camelot,dc=de" credentials="xxxxxx" mode="self" chain-rebind-as-user TRUE chain-return-error TRUE chain-tls start </snip slapd.conf>
Any help is appreciated.
What version is this? I found that with 2.4.21 a tls_cacert option solved my problem.
chain-tls start tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem tls_reqcert="demand"
slapd-ldap(5) provides more TLS options.
-Dieter