Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
This is my current config for replication:
syncrepl rid=001 provider=ldap://master01.tld type=refreshAndPersist interval=00:00:05:00 retry="5 5 300 +" searchbase="dc=tld" attrs="*,+" bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/master02.tld.pem tls_key=/etc/master02.tld.key tls_cacert=/etc/openldap/cacerts/ca.pem tls_reqcert=demand starttls=yes
mirrormode on updateref ldap://master01.tld
but in the replication log i get the following:
Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7) Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left) Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on: