I am attempting to move my sycrepl with mirrormode configuration over to TLS using LDAPS (not starttls) and running into problems.
Multimaster setup (2 servers) behind a VIP both RHEL 6.3 Openldap 2.4.23-26 still running the old slapd.conf method (apologies) There are 3 separate certificates ldap.mycompany.net, server01.mycompany.net, and server02.mycompany.net
The primary certificate is used for running slapd, and the individual server certs are intended to allow syncrepl over ssl.
My configurations for syncrepl/mirrormode are down below.
I had success with non-ssl syncrepl/mirrormode. It worked great actually. Now I am attempting to get syncrepl/mirrormode working with SSL.
What I observe is whichever slapd instance is the last to startup is the one that becomes a "Master" as if I was in a producer/consumer setup.
Errors I am seeing are slapd[11995]: conn=1003 fd=13 ACCEPT from IP=<server1_IP>:56368 (IP= 0.0.0.0:636) slapd[11995]: connection_read(13): TLS accept failure error=-1 id=1003, closing
slapd[11485]: slap_client_connect: URI=ldaps://server01.mycompany.netDN="cn=Admin,dc=mycompany,dc=net" ldap_sasl_bind_s failed (-1) slapd[11485]: do_syncrepl: rid=001 rc -1 retrying
Server 1 configuration ************************* # Server1 synchronization settings
serverID 1
syncrepl rid=002 provider=ldaps://server02.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server02.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server02.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off
mirrormode on
# Server1 synchronization overlay overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Server1 end **************************************************************************************************
Server 2 configuration ********************************* # Server2 syncronization settings
serverID 2
syncrepl rid=001 provider=ldaps://server01.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server01.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server01.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off
mirrormode on
# Server02 synchronization overlay overlay syncprov syncprov-checkpoint 100 10
# Server2 end **************************************************************************************************
any help is greatly appreciated