On my working master server openldap-2.3.27-8 under CentOS 5, I added:
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
On the slave server openldap-2.3.27-8.el5_2.4 under CentOS 5.2, I added:
syncrepl rid=123 provider=ldaps://primary-ldap-server:636 type=refreshOnly interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=syncuser,dc=mydomain,dc=com" credentials=mysecret
ldap started on the slave server OK, and /var/lib/ldap has all of the database files. On that server, from the command line, I can:
[root@ldap2 ~]# ldapsearch -xLLL -b "dc=mydomain,dc=com" uid=joliver sn givenName cn dn: uid=joliver,ou=People,dc=mydomain,dc=com givenName: John sn: Oliver cn: John Oliver
But when I point another machine at that slave server, it won't authenticate:
Jul 23 03:06:28 localhost login(pam_unix)[9475]: check pass; user unknown Jul 23 03:06:28 localhost login(pam_unix)[9475]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= Jul 23 03:06:28 localhost login[9475]: pam_ldap: ldap_search_s No such object Jul 23 03:06:30 localhost login[9475]: FAILED LOGIN 1 FROM (null) FOR joliver, Authentication failure
[root@localhost ~]# ldapsearch -H ldaps://ldap2.mydomain.com -b "dc=mydomain,dc=com" uid=joliver sn givenName cn ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[root@localhost ~]# ldapsearch -H ldap://ldap2.mydomain.com -b "dc=mydomain,dc=com" uid=joliver sn givenName cn SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
When using just ldap:// with ldapsearch, I don't know what password it's asking for. My LDAP password doesn't work, the LDAP admin password doesn't work, the local root password doesn't work...
Here's the odd thing. When I started setting this up, the machine that's the primary (and working) LDAP server now was running fedora-ds. I set up OpenLDAP on what is now the slave server, and it worked perfectly. I slapcat'ed it, installed OpenLDAP on the primary server, and slapadded the db. I never generated any certificates on it at all, and it works perfectly. I just regenerated the cert on the slave server, but no joy.