Sterling Sahaydak wrote:
I've recently updated both my openldap servers to 2.4.39 version and everything seems to be working EXCEPT the mirror synchronization which was the issue I had previously with 2.4.23 Running on CentOS 6.5 Setup - Server1(provider): ldap-east.xxxxx.net Server2(consumer): ldap-west.xxxxx.net Not using self signed certs. Instead have a SAN(Subject Alternative Name)cert from DigiCert with 4 hostnames: ldap.xxxxx.net ldap-1.xxxxx.net ldap-2.xxxxx.net ldap-alt.xxxxx.net I'm using slapd.conf vs cn=config. The details: [root@ldap-east certs]# slapd -d sync 541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $ root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd mailto:root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd 541b16ed /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema 541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted. 541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. 541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 541b16ed slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'. 541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE *** I wonder if there is something about SAN certs where ldap is having issues ?
This has nothing to do with OpenLDAP. Your build is using the MozNSS crypto library, ask Red Hat for help with that.
*** Since it is a signed CA cert in a mirror sync setup do I need to set it up in the local CA(using certutil) and add it? (didn't have to for non-sync use) *** Unclear of 'not found in database' - which one? I've tried adding it using certutil in various permutations of setting adding the cert to the local CA database with all the various SAN names as different nick names *** I've also setup symlinks in /etc/openldap/certs pointing from the hashes -> certs - but all of these with the exact same output as above. From the debug log: