Re: syncrepl tls_cert file not red ?

[Rich Megginson <rich.megginson@gmail.com>]

On 10/11/2011 03:10 AM, Olivier wrote:
> I now have a new issue with TLS : certificate files are even not red and
> presented to the server anymore.
>
> I have this on server ldap2 :
>
> syncrepl rid=211
>      provider=ldap://ldap1.example.fr:389
>      searchbase="dc=example,dc=fr"
>      schemachecking=on
>      type=refreshOnly
>      interval=00:00:00:05
>      retry="10 +"
>      bindmethod=sasl
>      saslmech=external
>      authcid="cn=replicator,ou=system,dc=example,dc=fr"
>      authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
>      tls_cacert=/etc/openldap/cacerts/CA.crt
>      tls_cert=/etc/openldap/cacerts/syncrepl.crt
>      tls_key=/etc/openldap/cacerts/syncrepl.key
>      tls_reqcert=demand
>
> I get this as error : "ldap_sasl_interactive_bind_s failed (-6)"
>
> and if I launch slapd through strace I see that
> /etc/openldap/cacerts/syncrepl.crt
> is never opened (then never presented to the server).
>
> Note that on the server I have configured :
>
> TLSVerifyClient demand
>
> To be sure that the server ask for the certificate.
>
> What have I forgotten ? Please help me to diag where is the problem.
Does client cert auth work from ldapsearch?  e.g.
LDAPTLS_CERT=/etc/openldap/cacerts/syncrepl.crt 
LDAPTLS_KEY=/etc/openldap/cacerts/syncrepl.key 
LDAPTLS_CACERT=/etc/openldap/cacerts/CA.crt ldapsearch -h fqdn -Y 
EXTERNAL .....
> ---
> Olivier
>
> P.S :
>
> I can't be absolutely affirmative since I'm under testing, but I
> think that worked before, and I start to beleive that update
> from
>      openldap-servers-2.4.23-15.el6_1.1.x86_64
> to
>      openldap-servers-2.4.23-15.el6_1.3.x86_64
>
> on redhat 6 produces problems.