Re: Syncrepl with SASL External - SOLVED

[Howard Chu <hyc@symas.com>]

Angela Gavazzi wrote:
> Am Dienstag, 6. MÃrz 2007 19:08 schrieb Pierangelo Masarati:
> > Angela Gavazzi wrote:
> > > I found out that the problem was double encrypting of the connection:
> > What does it mean "double encrypting of the connection"?
> I mean that if I "force" encryption with demand on the provider and on the 
> consumer, then I think the consumer tries to encrypt an encrypted connection. 
> When I use allow on the consumer it works and is encryptet, I checked it with 
> tcpdump.

It seems you haven't read the Admin Guide or the manpages. The 
TLSVerifyClient setting doesn't affect the encryption at all. It only 
controls whether the server will check for a client certificate.

> > > It works now if I set TLSVerifyClient to max. allow on the consumer side.
> > > All stronger configurations end in:
> > > CA unknown.
> > This makes much more sense: your TLS configuration is broken.  Are you
> > using a self-signed certificate?  Or, is your certificate signed by the
> > CA to whom the certificate pointed by TLSCACertificateFile belongs?
>
> The certificate is signed by the CA pointed by TLSCACertficateFile.

In OpenLDAP 2.3 and older, you must also configure TLS_CACERT in the 
ldap.conf (or ldaprc) file on any servers that make outbound 
connections. In OpenLDAP 2.4 you can configure it explicitly in the 
syncrepl consumer configuration.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/