[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS

To: openldap-technical@openldap.org
Subject: Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 20 Oct 2010 17:04:37 +0100
Cc: Thierry Lacoste <lacoste@u-pec.fr>
In-reply-to: <4E290BDE-3A2E-476F-A433-EECDF8CCFDF4@u-pec.fr>
References: <4E290BDE-3A2E-476F-A433-EECDF8CCFDF4@u-pec.fr>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-2mnb; KDE/4.4.3; x86_64; ; )

On Wednesday, 20 October 2010 16:13:44 Thierry Lacoste wrote:
> Hello,
> 
> I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20
> installed from Buchan Milne's repository (openldap2.4-
> servers-2.4.20-1.el5).
> 
> The first server is a Sync Provider.
> The second is a consumer with 'starttls=critical'.
> 
> I have no problem after 'yum update' of the master
> (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
> 
> But after 'yum update' of the slave, syncrepl won't work anymore
> because of TLS failures.
> 
> Here are the logs on the master :
> Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd
> 2.4.22 (Apr 27 2010 12:04:27) $
> bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/
> openldap-2.4.22/servers/slapd
> Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT
> from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389)
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT
> oid= err=0 text=
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed
> (TLS negotiation failure)
> 
> Here are the logs on the slave :
> Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd
> 2.4.22 (Apr 27 2010 12:04:27) $
> bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/
> openldap-2.4.22/servers/slapd
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect:
> URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11)
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc
> -11 retrying (4 retries left)
> 
> ldapsearch from the slave can do TLS :
> $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER
> This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged
> by CentOS
> 
> Any ideas on how to troubleshoot the problem?

Note that the syncrepl statement now has its own tls configuration, see the 
options tls_cert, tls_key, tls_cacert, tls_cacertdir, tls_reqcert, 
tls_ciphersuite, tls_crlcheck to the syncrepl statement.

Regards,
Buchan

Follow-Ups:
- Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
  - From: Thierry Lacoste <lacoste@u-pec.fr>

References:
- updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
  - From: Thierry Lacoste <lacoste@u-pec.fr>

Prev by Date: Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
Next by Date: Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
Index(es):
- Chronological
- Thread