[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Delta-Sync w/ TLS troubles



Dieter Kluenter wrote:
Peter Clark <clarkp@mtmary.edu> writes:

Hello,

I have a FreeBSD 7.2 Release box with openldap-2.4.16 installed on it. I
have followed the Admin guide to setting up Delta-Sync replication and
it works as long as I do not use either the "ldaps" or "starttls=yes" on
the slave. ie:

syncrepl  rid=0
        provider=ldap://joe.pdq.edu
        starttls=yes
        bindmethod=simple
        binddn="cn=ldaproot,dc=pdq,dc=edu"
        credentials="XXXXXXXXX"
        searchbase="dc=pdq,dc=edu"
        logbase="cn=accesslog"
        logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
        schemachecking=on
        type=refreshAndPersist
        retry="60 +"
        syncdata=accesslog

I am missing at least the path to the CA file, something like
tls_cacert=<path.to.file>
man slapd.conf(5) for more tls related configuration parameters.

This is my slapd.conf
syncrepl rid=05
        provider=ldap://some.host
        sizelimit=unlimited
        bindmethod=sasl
        saslmech=external
        starttls=yes
        tls_cert=/opt/openldap/etc/openldap/certs/replicator.pem
        tls_key=/opt/openldap/etc/openldap/certs/replicator-key.pem
        tls_cacert=/opt/openldap/etc/openldap/certs/avciCA.pem
        tls_reqcert=try
        searchbase="o=avci,c=de"
        scope=sub
        type=refreshAndPersist
        retry="5 5 300 5"
updateref ldap://some.host

-Dieter


Thanks Dieter,

I reread the 2.4 Admin guide for the 11 billionth time and those little words finally stood out:

"Most of the client configuration directives parallel the server directives. The names of the directives are different, and they go into ldap.conf(5) instead of slapd.conf(5)..."

<sigh>

Peter