RE: Unknown CA error - replication

["McMaster, Michael" <michael.mcmaster@etrade.com>]

Gary,

Sorry, I was unclear... I didn't make the certs for master and slave to
do two-way authentication during replication.  I just made them so both
can send the certs to any clients that connect to them for accessing
data via LDAP.  I realize that it's kind of irrelevant here.  I just
wanted to emphasize I am using the same CA cert on both machines despite
the "unknown ca" error. 

I am using RedHat, and I have made the changes to
/etc/openldap/ldap.conf as well as to /etc/ldap.conf just to be sure.
Not sure what all you mean by replication related dn info, but here is
what's in the master's slapd.conf:

replogfile /etc/logs/replog.log
replica uri=ldaps://slave.myserver.com
        binddn="cn=Manager,dc=myserver,dc=com"
        bindmethod=simple credentials=secret

On the client's slapd.conf:

updatedn "cn=Manager,dc=myserver,dc=com"
updateref ldaps://master.myserver.com

Hope that helps.  Thanks for the feedback.

-Mike

-----Original Message-----
From: Tay, Gary [mailto:Gary_Tay@platts.com] 
Sent: Thursday, September 30, 2004 8:57 PM
To: McMaster, Michael
Subject: RE: Unknown CA error - replication

Mike,

There are some unusual stuffs here u r doing.

Most people will NOT create client cert, and do only one-way "client
verifies server cert but server did not do the reverse".

/etc/ldap.conf is usually reserved for NSS_LDAP and PAM_LDAP, u should
put the cacert.pem in $ETC_OPENLDAP/ldap.conf, on Redhat this is
/etc/openldap/ldap.conf, or a default shld be
/usr/local/etc/openldap/ldap.conf.

U shld post the replication related dn info. To the maillist. Do not fwd
my email to the list.

U may find my HOWTO useful, or not:
http://web.singnet.com.sg/~garyttt/

Rgds
Gary