Hello,
tls_reqcert=never is necessary for the replication. If it is not defined, I get an error.
The weird thing, is that I do have the same configuration on another host, running Debian Lenny with slapd version 2.4.23-3 and I don't have to define this parameter.
The server I report the error, is running 2.4.23-7 on Squeeze.
Is there any way to explain this difference ?
Regards,
Hugo
On 17 October 2011 04:27, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Sunday, October 16, 2011 12:51 AM -0700 Howard Chu hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On October 13, 2011 10:43:55 AM -0700 Josh Miller joshua@itsecureadmin.com wrote:
On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
I don't see any of the tls_* options to the syncrepl configuration here. Likely the syncrepl client is unable to verify the master's cert. I would note that using refreshOnly is ill-advised.
Hi Quanah,
Why is RefreshOnly ill-advised? That is the recommendation in the docs (very timely as I just set this up again myself).
The admin guide has examples, not recommendations. In any case, I fully intend to change those examples to be refreshAndPersist so people stop defaulting to refreshOnly. It is not always reliable, and your significantly delay your replication by using it.
Of course, it may be the only thing that works reliably if you have a firewall that silently kills old connections.
The examples should stand as-is. We cannot predict what environment it's going to be deployed in. It's up to administrators to use their brains and know these details of their network.
I think at the least we should document both. Virtually everyone takes the admin guide verbatim without comprehending what it is they are doing. Giving them two options would hopefully at least make them have to consider why there are multiple options.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Hugo Deprez