Never mind.
I had to put this line in the sysrepl section of the slave
starttls=yes
Sorry about the noise.
On Sun, May 27, 2012 at 10:29 PM, zhong ming wu mr.z.m.wu@gmail.com wrote:
Hello
I am using version 2.4 and in the process of setting up a master/slave pair using syncrepl.
This is working as expected if I don't have enforce security and confidentiality with "security ssf=128" global directive in the master. As soon as I turn it on, replication stops working.
It seems that the slave consumer is not using TLS to connect to master. However I can use 'ldapsearch' with '-ZZ' option to connect to master from slave and get all records I want.
On my slave machine, I also have the following directive
TLS_CACERT /etc/pki/tls/certs/ca.crt.crl
in ldap.conf
Notice that without this line 'ldapXXX' commands with '-ZZ' fails from slave to master. This confirms that at least 'ldap.conf' is in the correct location at least as far as 'ldapXXX' commands are concerned.
Can someone point me in the right direction? I have read many chapters on this page
http://www.openldap.org/doc/admin24/index.html
Both slave and master are on centos 6.2 and openldap software is standard centos rpm.
Here are the log entries on the master when slave fails to bind with TLS
May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 ACCEPT from IP=192.168.0.2:41083 (IP=0.0.0.0:389) May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 BIND dn="cn=root,dc=example,dc=com" method=128 May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 RESULT tag=97 err=13 text=confidentiality required May 27 22:14:53 cat slapd[2456]: conn=1000 op=1 UNBIND May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 closed
Sincerely
Mr Wu
openldap-technical@openldap.org