I have the following attributes set in my ldap backend for the chain overlay.
olcDbURI: "ldaps://ds2-q.global.aep.com:636" olcDbStartTLS: ldaps starttls=no tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer" tls_reqcert=demand tls_crlcheck=none
The referenced file is the exact same file I use in this global attribute
olcTLSCACertificateFile: /appl/openldap/etc/openldap/tls/cacerts.cer
This is a 2.4.44 replication consumer using the following replication attribute
olcSyncrepl: {1}rid=112 provider=ldaps://ds2-q.global.aep.com:636 binddn="cn=syncuser,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com" bindmethod=simple credentials=<redacted> searchbase="dc=Global,dc=aep,dc=com" type=refreshAndPersist retry="5 5 300 +" timeout=1
Replication works perfectly and changes to the referenced master are replicated to this slave. I can see successful connections for rid=112 to this master in the log. The problem is when the chain overlay tries to follow referrals to this same master I get the following error:
595fbb1c conn=1000 op=1 ldap_chain_op: ref="ldaps://ds2-q.global.aep.com:636/uid=s012235,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com" -> "ldaps://ds2-q.global.aep.com:636" 595fbb1c conn=1000 op=1 ldap_chain_op: ref="ldaps://ds2-q.global.aep.com:636/uid=s012235,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com": URI="ldaps://ds2-q.global.aep.com:636" found in cache ldap_create ldap_url_parse_ext(ldaps://ds2-q.global.aep.com:636) 595fbb1c =>ldap_back_getconn: conn=1000 op=1: lc=0x10180430 inserted refcnt=1 rc=0 ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ds2-q.global.aep.com:636 ldap_new_socket: 16 ldap_prepare_socket: 16 ldap_connect_to_host: Trying 10.92.127.52:636 ldap_pvt_connect: fd: 16 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=Ohio/L=Columbus/O=American Electric Power/OU=Complex - Middleware/CN=AEP Root CA (2014)/emailAddress=middleware@aep.com, issuer: /C=US/ST=Ohio/L=Columbus/O=American Electric Power/OU=Complex - Middleware/CN=AEP Root CA (2014)/emailAddress=middleware@aep.com TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain). 595fbb1c send_ldap_result: conn=1000 op=1 p=3 595fbb1c send_ldap_result: conn=1000 op=1 p=3 595fbb1c send_ldap_response: msgid=2 tag=103 err=52 ber_flush2: 14 bytes to sd 15 595fbb1c conn=1000 op=1 RESULT tag=103 err=52 text=
So, is there something wrong with the value of the olcDBStartTLS attribute that I'm not seeing??
-Jon C. Kidder American Electric Power Complex - Middleware Engineering
openldap-technical@openldap.org