On 07/31/2013 12:36 PM, Tony Davis wrote:
Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
This is my current config for replication:
syncrepl rid=001 provider=ldap://master01.tld type=refreshAndPersist interval=00:00:05:00 retry="5 5 300 +" searchbase="dc=tld" attrs="*,+" bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/master02.tld.pem tls_key=/etc/master02.tld.key tls_cacert=/etc/openldap/cacerts/ca.pem tls_reqcert=demand starttls=yes mirrormode on updateref ldap://master01.tld
but in the replication log i get the following:
Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7) Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left) Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
I'm struggling with a similar problem (see message "N-Way Multi-Master TLS problem" from a few hours ago) so I'm afraid I don't have an answer for you. This FAQ entry might help:
http://www.openldap.org/faq/data/cache/1504.html
One tip: usually the developers/experienced folks on this list will advise you to upgrade your OpenLDAP version to the latest version using packages available from http://ltb-project.org or build the latest OpenLDAP from source against OpenSSL (not gnuTLS). Between 2.3.43 and the latest 2.4.35 version many syncrepl bugs have been fixed so maybe start with that.
If you find a solution I would appreciate it if you could update the thread. It might provide a pointer how to solve my problem.
Regards, Patrick