Re: Single-master replication over TLS fails in 2.4.15

[Howard Chu <hyc@symas.com>]

Craig Worgan wrote:
> Hi Howard,
>
> I actually thought that my certificate was bad, until I went back to 2.3
> with the same certificate and configuration and it worked fine.  Quanah
> pointed out the new TLS related syncrepl options which, when I added
> them to my config, fixed the problem.  Thing is, I pointed the syncrepl
> options to the same certificate I am using for the TLS* server
> certificate directives. I am using a compound certificate, so my TLS
> related config looks like this:
>
> ...
> TLSCertificateFile 0.pem
> TLSCACertificateFile 0.pem
> TLSCertificateKeyFile 0.pem

Combining the private and public elements of the certs into one file is not wise.

> ...
> syncrepl rid=983
>   provider=ldaps://myhost.nortel.com:10636
>   type=refreshAndPersist
>   searchbase=dc=nortel,dc=com
>   bindmethod=simple
>   binddn=cn=someaccount,dc=nortel,dc=com
>   credentials=secret
>   retry="30 +"
>   tls_cert=0.pem
>   tls_cacert=0.pem
>   tls_key=0.pem
>
> In 2.4, if you configure syncrepl over TLS and omit the new options,
> does OpenLDAP use the values that are configured for the server
> certificate settings (TLS*), if any?

That's already explicitly stated in the slapd.conf(5) manpage.

> If so, I'm confused as to why it
> failed for me originally.

I have no idea, it works for me.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/