On 16/07/12 11:47 AM, Andrei BĂNARU wrote:
Because you're using chain type referrals you need to "trust" the
certificate from the ldap server you are "referring" to on the LDAP
clients issuing queries.
Isn't this done by setting up TLS_CACERT in /etc/ldap/ldap.conf and
TLSCACertificateFile in /etc/ldap/slapd.conf?
In my case, on the slave /etc/ldap.conf contains the line "TLS_CACERT
/etc/ssl/certs/cacert.pem" and /etc/ldap/slapd.conf contains the line
"TLSCACertificateFile /etc/ssl/certs/cacert.pem". cacert.pem is the
self-signed cert from the ca that I used to sign the certificates for
each server. ldap client queries with -Z or -ZZ work fine, syncrepl
(with TLS) works fine. slapo-chain + TLS wont work and each time it
gives a TLS negotiation failure.
In an attempt to understand more I started slapd on the master with
debug -1 and found this error:
TLS: can't accept: A record packet with illegal version was received..
connection_read(16): TLS accept failure error=-1 id=1001, closing
The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd
2.4.21 (Dec 19 2011 15:18:58) $
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04),
could this be related to the version of slapd or gnutls?