Dear OpenLDAP experts,
I'm about to setup an OpenLDAP server with the following features: - TLS/SSL with self-signed certificates - TLS-encrypted N-way replication (Syncrepl)
My environment: - 2 x RHEL 6.0 - OpenLDAP 2.4.23
I try to sync both databases: cn=config and backend-db. The problem is that I'm not able to turn on TLS for both sync-connections at the same time. It works for each connection but only if the second one is unencrypted.
Working configuration: ----- olcDatabase={0}config,cn=config ... olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 ... olcDatabase={1}bdb,cn=config ... olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem -----
(desired) Configuration, which doesn't work: ----- olcDatabase={0}config,cn=config ... olcSyncrepl: {0}rid=001 provider=ldap://ldapserver1.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=002 provider=ldap://ldapserver2.com binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem ... olcDatabase={1}bdb,cn=config ... olcSyncrepl: {0}rid=003 provider=ldap://ldapserver1.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem olcSyncrepl: {1}rid=004 provider=ldap://ldapserver2.com binddn="cn=manager,dc=ldap,dc=com" bindmethod=simple credentials=password searchbase="dc=ldap,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/cacerts/ca.pem -----
/etc/openldap/cacerts/ca.pem contains CA certificates of both servers.
What is wrong? I would be very thankful for every advise.