[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl - ldap_start_tls failed (-11)

To: openldap-software@openldap.org
Subject: Re: syncrepl - ldap_start_tls failed (-11)
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 6 Dec 2007 19:58:59 +0200
Cc: Cristian Laufer <Laufer@uni-koblenz-landau.de>
Content-disposition: inline
In-reply-to: <47580C28.7080702@uni-koblenz-landau.de>
References: <4756B2DD.9050008@uni-koblenz-landau.de> <FD634B1A1B908CCCF45E4A61@deus-ex.zimbra.com> <47580C28.7080702@uni-koblenz-landau.de>
User-agent: KMail/1.9.7

On Thursday 06 December 2007 16:50:16 Cristian Laufer wrote:
> Hello Quanah,
>
> sorry, I am actually using:
>
> provider=ldap://192.168.0.7:389
>
> Would that be ok to use?
>
> Cristian
>
> Quanah Gibson-Mount schrieb:
> > --On December 5, 2007 3:17:01 PM +0100 Cristian Laufer
> >
> > <laufer@uni-koblenz-landau.de> wrote:
> >> Hello All,
> >> syncrepl rid=123
> >> starttls=yes
> >> provider=ldap://ldapmaster:389
> >
> > TLS generally required FQDN's.  Fix your provider URL.

The name you provide to the software must match the subject CN on the cert.

However, instead of guessing, why don't you rather do an ldapsearch, exactly 
as your syncrepl is configured, with SSL enabled etc., until you can get 
ldapsearch to accept the cert.

I haven't tried a subjectCN of an IP, but I suspect that wouldn't work, you 
would rather use a subjectAlternateName=IP:192.168.0.7 ... but you should 
rather just use a hostname (entry in /etc/hosts if necessary to get it to the 
right IP) that matches the subjectCN on the cert.

Regards,
Buchan

References:
- syncrepl - ldap_start_tls failed (-11)
  - From: Cristian Laufer <laufer@uni-koblenz-landau.de>
- Re: syncrepl - ldap_start_tls failed (-11)
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: syncrepl - ldap_start_tls failed (-11)
  - From: Cristian Laufer <Laufer@uni-koblenz-landau.de>

Prev by Date: Re: Active/Active servers
Next by Date: Re: Active/Active servers
Index(es):
- Chronological
- Thread