[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
From: Prentice Bisbal <prentice@ias.edu>
Date: Wed, 20 Oct 2010 11:53:34 -0400
In-reply-to: <4E290BDE-3A2E-476F-A433-EECDF8CCFDF4@u-pec.fr>
References: <4E290BDE-3A2E-476F-A433-EECDF8CCFDF4@u-pec.fr>
User-agent: Thunderbird 2.0.0.24 (X11/20100909)

Are you using self-signed certificates? Could it be that the update
overwrote your CA certificate file, or overwrote the path to your CA
file(s) with one that doesn't contain your own CA's certificate in some
config file?


Thierry Lacoste wrote:
> Hello,
> 
> I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20
> installed from Buchan Milne's repository
> (openldap2.4-servers-2.4.20-1.el5).
> 
> The first server is a Sync Provider.
> The second is a consumer with 'starttls=critical'.
> 
> I have no problem after 'yum update' of the master
> (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK).
> 
> But after 'yum update' of the slave, syncrepl won't work anymore because
> of TLS failures.
> 
> Here are the logs on the master :
> Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd
> 2.4.22 (Apr 27 2010 12:04:27) $    
> bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/openldap-2.4.22/servers/slapd
> 
> Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from
> IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389)
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid=
> err=0 text=
> Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS
> negotiation failure)
> 
> Here are the logs on the slave :
> Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22
> (Apr 27 2010 12:04:27) $    
> bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/openldap-2.4.22/servers/slapd
> 
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect:
> URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11)
> Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11
> retrying (4 retries left)
> 
> ldapsearch from the slave can do TLS :
> $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER
> This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged
> by CentOS
> 
> Any ideas on how to troubleshoot the problem?
> 
> Regards,
> Thierry
> 
> PS : as a side note both servers are Xen VMs running on CentOS hosts.
> 

-- 
Prentice

References:
- updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
  - From: Thierry Lacoste <lacoste@u-pec.fr>

Prev by Date: Re: Ldap , problems with getent passwd
Next by Date: Re: updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS
Index(es):
- Chronological
- Thread