Hello,
I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4- servers-2.4.20-1.el5).
The first server is a Sync Provider. The second is a consumer with 'starttls=critical'.
I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures.
Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure)
Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left)
ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS
Any ideas on how to troubleshoot the problem?
Regards, Thierry
PS : as a side note both servers are Xen VMs running on CentOS hosts.