Hi!

 

In my test environment (using openLDAP 2.5) the certificate used to authenticate syncrepl expired Friday night, so when returning on Monday, I was expe4cting error from syncrepl, but I did not see any.

I suspect that this is due to persistent connections are being used.

I see a big danger there:

The operator may not notice that the certificated had expired as syncrepl still works (it seems, but there were no actual changes over the weekend)).

However (as I understand it), syncrepl will start to fail once the network causes the persistent connection to fail, or a server is restarted.

 

So I wonder: Is there a way to recognize expiration of the certificate? Maybe by limiting the life-time of a persistent connection, or slapd/syncrepl doing explicit checks on the certificate?

 

Kind regards,

Ulrich Windl