syncrepl failing with TLS negotiation failure

Hello,

I'm trying to get syncrepl working, using simple bind over TLS. TLS is failing with

Consumer: Oct 12 17:21:53 auth-01 slapd[23241]: slap_client_connect: URI=ldap://auth-00.vis.kaust.edu.sa Error, ldap_start_tls failed (-11) Oct 12 17:21:53 auth-01 slapd[23241]: do_syncrepl: rid=000 rc -11 retrying (3 retries left)

Provider: Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 ACCEPT from IP=109.171.138.17:39458 (IP=0.0.0.0:389) Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 STARTTLS Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 op=0 RESULT oid= err=0 text= Oct 12 17:21:53 auth-00 slapd[7190]: conn=451 fd=137 closed (TLS negotiation failure)

TLS is working for other uses of the server including ldapsearch: auth-01$ ldapsearch -ZZ -x -D cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa -W -H ldap://auth-00.vis.kaust.edu.sa uid=iain

Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 ACCEPT from IP=109.171.138.17:39460 (IP=0.0.0.0:389) Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 STARTTLS Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 op=0 RESULT oid= err=0 text= Oct 12 17:23:58 auth-00 slapd[7190]: conn=466 fd=137 TLS established tls_ssf=256 ssf=256 Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" method=128 Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 BIND dn="cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa" mech=SIMPLE ssf=0 Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=1 RESULT tag=97 err=0 text= Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SRCH base="dc=vis,dc=kaust,dc=edu,dc=sa" scope=2 deref=0 filter="(uid=iain)" Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 ENTRY dn="uid=iain,ou=people,dc=vis,dc=kaust,dc=edu,dc=sa" Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 op=3 UNBIND Oct 12 17:24:15 auth-00 slapd[7190]: conn=466 fd=137 closed

and any number of clients are cheerfully using it through {pam,nss}_ldap and sssd.

I'm not sure where to attack this from. The TLS settings should be identical. Any thoughts on how to proceed would be appreciated.

consumer: $ lsb_release -a LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: Scientific Description: Scientific Linux release 6.1 (Carbon) Release: 6.1 Codename: Carbon $ rpm -q openldap-servers openldap-servers-2.4.23-15.el6.x86_64

From slapd.conf:

syncrepl rid=000 provider=ldap://auth-00.vis.kaust.edu.sa searchbase=dc=vis,dc=kaust,dc=edu,dc=sa bindmethod=simple binddn=cn=syncrepl,dc=vis,dc=kaust,dc=edu,dc=sa credentials=mysecret type=refreshOnly retry="10 3 120 5 600 +" tls_cacert=/etc/ssl/VisLabCA.pem tls_reqcert=allow starttls=critical

provider: $ lsb_release -a LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 5.6 (Final) Release: 5.6 Codename: Final $ rpm -q openldap-servers openldap-servers-2.3.43-12.el5_5.3

Iain.