Dear Andrei,
On 16/07/12 11:47 AM, Andrei BĂNARU wrote:
Hi,
Because you're using chain type referrals you need to "trust" the certificate from the ldap server you are "referring" to on the LDAP clients issuing queries.
Isn't this done by setting up TLS_CACERT in /etc/ldap/ldap.conf and TLSCACertificateFile in /etc/ldap/slapd.conf?
In my case, on the slave /etc/ldap.conf contains the line "TLS_CACERT /etc/ssl/certs/cacert.pem" and /etc/ldap/slapd.conf contains the line "TLSCACertificateFile /etc/ssl/certs/cacert.pem". cacert.pem is the self-signed cert from the ca that I used to sign the certificates for each server. ldap client queries with -Z or -ZZ work fine, syncrepl (with TLS) works fine. slapo-chain + TLS wont work and each time it gives a TLS negotiation failure.
In an attempt to understand more I started slapd on the master with debug -1 and found this error:
TLS: can't accept: A record packet with illegal version was received.. connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:18:58) $ buildd@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could this be related to the version of slapd or gnutls?
Regards,
Warren.