Hello,
I use the following ldapsearch command :
ldapsearch -H ldaps://ldap.mydomain.fr:1024 -x -W -D "cn=syncrepluser,o=others,dc=mydomain,dc=fr"
I did configure TLS cert file before syncrepl configuration :
TLSCACertificateFile /etc/ssl/certs/ldap-replic-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-replic-cert.pem TLSCertificateKeyFile /etc/ssl/certs/ldap-replic-cert.pem
But those certificate are for the ldap consumer if I'm not wrong.
I am currently trying the following configuration thanks to your information :
Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple tls_cert=/etc/ssl/certs/ldap-cert.pem tls_cacert=/etc/ssl/certs/ldap-cert-ca.pem binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password
where tls_cert and tls_cacert provide the cert from the master server.
It seems that the replication is working but I get an other error confusing :
ct 14 12:46:53 server slapd[32470]: slap_client_connect: URI=ldaps://ldap.mydomain.fr:1024/ TLS context initialization failed (-1) Oct 14 12:46:53 server slapd[32470]: do_syncrepl: rid=003 rc -1 retrying (9 retries left) Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Oct 14 12:47:53 server slapd[32470]: do_syncrep2: rid=003 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
I don't really understand the TLS context initialization failed (-1) as my replication is working ?
Thanks for the tips.
Hugo
On 13 October 2011 19:29, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Thursday, October 13, 2011 6:38 PM +0200 Hugo Deprez hugo.deprez@gmail.com wrote:
Dear community,
I setup a syncrepl between my master openldap server and a consumer.
I am trying to use SSL for this syncrepl I got the following error in the log when I start slapd on the consumer :
Oct 13 17:04:59 server slapd[16905]: slapd starting Oct 13 17:04:59 server slapd[16905]: slap_client_connect: URI=ldaps://ldap.mydomain.fr:1024/ DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s failed (-1) Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1 retrying (9 retries left)
I don't understand why it is failing as a single ldapsearch from the same server with the syncrepl user is working.
here is my syncrepl configuration :
Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password
Any idea ?
I don't see any of the tls_* options to the syncrepl configuration here. Likely the syncrepl client is unable to verify the master's cert. I would note that using refreshOnly is ill-advised.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration