Full_Name: Patrick Hemmer Version: 2.4.31 OS: RHEL 6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.238.31.70) I have 2 servers (version 2.4.31) in multi-master-replication behind a single IP. Whenever replication tries to start, it fails because the cert name does not match the hostname. ---- TLS: hostname (per5-unity-ldap02.mbox.net) does not match common name in certificate (unity-ldap.mbox.net). 5009c52e slap_client_connect: URI=ldap://per5-unity-ldap02.mbox.net Error, ldap_start_tls failed (-11) 5009c52e do_syncrepl: rid=523 rc -11 retrying (5 retries left) ---- However in the slapd configuration, I have the olcSyncrepl tls_reqcert parameter set to 'never' ---- dn: olcDatabase={3}hdb,cn=config olcSyncrepl: {0}rid=513 provider="ldap://per5-unity-ldap01.mbox.net" network-timeout=2 retry="1 10 10 60 60 +" keepalive="60:3:60" starttls=critical tls_reqcert=never bindmethod=simple timeout=2 binddn="uid=foo,cn=bar" credentials="baz" type=refreshAndPersist searchbase="dc=my,dc=domain" olcSyncrepl: {1}rid=523 provider="ldap://per5-unity-ldap02.mbox.net" network-timeout=2 retry="1 10 10 60 60 +" keepalive="60:3:60" starttls=critical tls_reqcert=never bindmethod=simple timeout=2 binddn="uid=foo,cn=bar" credentials="baz" type=refreshAndPersist searchbase="dc=my,dc=domain" ---- I have also tried tls_reqcert=allow with the same result. And in a desperate attempt, I also tried setting tls_cacert=/dev/null in the hope that if it couldn't verify the cert it wouldnt check the hostname against the cert subject, but this failed as well.
I've come up with a few more critical details while trying to solve the issue. 1) If the other master is started first, when the local slapd starts, syncrepl connects and works fine. It only fails if the other master is started after the local slapd is running. 2) If I delete the specific olcSyncrepl attribute for one that is failing, and then add it back, syncrepl starts working fine. 3) After deleting and re-adding the olcSyncrepl attribute to make syncrepl work, if I stop and start the other master slapd, syncrepl starts failing again.
--On Friday, July 20, 2012 10:06 PM +0000 openldap@stormcloud9.net wrote: > I have also tried tls_reqcert=allow with the same result. And in a > desperate attempt, I also tried setting tls_cacert=/dev/null in the hope > that if it couldn't verify the cert it wouldnt check the hostname against > the cert subject, but this failed as well. Which of the three TLS software packages is your openldap build linked to? OpenSSL MozNSS GnuTLS Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Sent: Tue Jul 24 2012 12:15:27 GMT-0400 (EDT) From: quanah@zimbra.com To: openldap-its@openldap.org Subject: Re: (ITS#7330) slapd mmr failure due to tls cert name mismatch > Which of the three TLS software packages is your openldap build linked to? > > OpenSSL > MozNSS > GnuTLS > > Thanks, > Quanah > OpenSSL
moved from Incoming to Software Bugs
*** This issue has been marked as a duplicate of issue 8427 ***