--On Friday, July 07, 2017 8:10 PM +0000 Jon C Kidder jckidder@aep.com wrote:
I've removed the starttls=no syntax and the line now reads.
olcDbStartTLS: ldaps tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer " tls_reqcert=demand tls_crlcheck=none
I have verified the change propagated to the configuration directory and restarted the instance. I saw no errors during configuration parsing in the log. I am still seeing this error when the chain overlay tries to follow the referral but no complaints when syncrepl connects.
I'm not sure how you do this with cn=config. With slapd.conf, it would be done via using "chain-tls" and not "tls", as per the man page:
There are very few chain overlay specific directives; however, directives related to the instances of the ldap backend that may be implicitly instantiated by the overlay may assume a special meaning when used in conjunction with this overlay. They are described in slapd-ldap(5), and they also need to be prefixed by chain-.
It may be worthwhile to set up a slapd.conf where "chain-tls" is specified, and see what happens with that on conversion.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com