Re: how can make slave use tls to connect to master for syncrepl (solved)

[zhong ming wu <mr.z.m.wu@gmail.com>]

Never mind.

I had to put this line in the sysrepl section of the slave

  starttls=yes

Sorry about the noise.

On Sun, May 27, 2012 at 10:29 PM, zhong ming wu <mr.z.m.wu@gmail.com> wrote:
> Hello
>
> I am using version 2.4 and in the process of setting up a master/slave
> pair using syncrepl.
>
> This is working as expected if I don't have enforce security and
> confidentiality with "security ssf=128" global directive in the
> master.
> As soon as I turn it on, replication stops working.
>
> It seems that the slave consumer is not using TLS to connect to
> master. However I can use 'ldapsearch'  with '-ZZ' option to connect
> to master from slave and get all records I want.
>
> On my slave machine, I also have the following directive
>
>  TLS_CACERT /etc/pki/tls/certs/ca.crt.crl
>
> in ldap.conf
>
> Notice that without this line 'ldapXXX' commands with '-ZZ' fails from
> slave to master.  This confirms that at least 'ldap.conf' is in the
> correct location at least as far as 'ldapXXX' commands are concerned.
>
> Can someone point me in the right direction?  I have read many
> chapters on this page
>
> http://www.openldap.org/doc/admin24/index.html
>
> Both slave and master are on centos 6.2 and openldap software is
> standard centos rpm.
>
> Here are the log entries on the master when slave fails to bind with TLS
>
> May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 ACCEPT from
> IP=192.168.0.2:41083 (IP=0.0.0.0:389)
> May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 BIND
> dn="cn=root,dc=example,dc=com" method=128
> May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 RESULT tag=97 err=13
> text=confidentiality required
> May 27 22:14:53 cat slapd[2456]: conn=1000 op=1 UNBIND
> May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 closed
>
> Sincerely
>
> Mr Wu