Hi,

I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.

I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?

This is my current config for replication:

syncrepl rid=001
        provider=ldap://master01.tld
        type=refreshAndPersist
        interval=00:00:05:00
        retry="5 5 300 +"
        searchbase="dc=tld"
        attrs="*,+"
        bindmethod=sasl
        saslmech=EXTERNAL
        tls_cert=/etc/master02.tld.pem
        tls_key=/etc/master02.tld.key
        tls_cacert=/etc/openldap/cacerts/ca.pem
        tls_reqcert=demand
        starttls=yes

        mirrormode on
        updateref ldap://master01.tld

but in the replication log i get the following:

Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7)
Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left)
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on: