Hi!
In my test environment (using openLDAP 2.5) the certificate used to authenticate syncrepl expired Friday night, so when returning on Monday, I was expe4cting error from syncrepl, but I did not see any. I suspect that this is due to persistent connections are being used. I see a big danger there: The operator may not notice that the certificated had expired as syncrepl still works (it seems, but there were no actual changes over the weekend)). However (as I understand it), syncrepl will start to fail once the network causes the persistent connection to fail, or a server is restarted.
So I wonder: Is there a way to recognize expiration of the certificate? Maybe by limiting the life-time of a persistent connection, or slapd/syncrepl doing explicit checks on the certificate?
Kind regards, Ulrich Windl