I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40). On RHEL 6.5 it is working no with no problems. On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely.
The cn=config section in slapd.conf looks like this:
# sync provider configuration overlay syncprov syncprov-checkpoint 1 1
syncrepl rid=001 provider=ldap://server1 searchbase="cn=config"
filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1
syncrepl rid=002 provider=ldap://server2 searchbase="cn=config"
filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1
mirrormode on
If I comment out that section in slapd.conf then "ldapsearch -ZZ" works but (obviously) I don't get cn=config replication.
Am I doing something wrong in the configuration? Is it a fluke that it is working on 2.4.23 in the first place? Or does anyone know what may have changed (or is more strict or whatever) in the 2.4.40 release?
Should I try to just remove RHEL's version of OpenLDAP and install the latest from openldap.org instead?
Any assistance is highly appreciated!
Thanks,