On Mon, Jun 26, 2017 at 11:09:43AM -0700, Quanah Gibson-Mount wrote:
Now you're switching topics. Your original mail did not include cert authentication, it used simple binds:
syncrepl rid=000 provider=ldaps://ldap.dannatu.ch:636 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=dannatu,dc=ch" attrs="*,+" scope=sub bindmethod=simple binddn="cn=Manager,dc=dannatu,dc=ch" credentials=**************
Either way, cert authentication AND TLS encrypted syncrepl both work for me with OpenSSL 1.0.2l and OpenLDAP 2.4.45 just fine, so I would have to again guess issues with proper TLS configuration.
It seems that the CA cert was never referenced in the syncrepl clause, so it would have dropped back to whatever TLS config was in the LDAP *client* config file (probably /etc/ldap/ldap.conf). I seem to remember a change in behaviour of OpenSSL libs a while ago where I was bitten by something similar. Maybe Juergen's earlier setup used ldap.conf and the new one is ignoring it?
Andrew