[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail


tls_reqcert=never is necessary for the replication. If it is not
defined, I get an error.

The weird thing, is that I do have the same configuration on another
host, running Debian Lenny with slapd version 2.4.23-3 and I don't
have to define this parameter.

The server I report the error, is running 2.4.23-7 on Squeeze.

Is there any way to explain this difference ?



On 17 October 2011 04:27, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Sunday, October 16, 2011 12:51 AM -0700 Howard Chu <hyc@symas.com>
> wrote:
>> Quanah Gibson-Mount wrote:
>>> --On October 13, 2011 10:43:55 AM -0700 Josh Miller
>>> <joshua@itsecureadmin.com>  wrote:
>>>> On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
>>>>> I don't see any of the tls_* options to the syncrepl configuration
>>>>> here. Likely the syncrepl client is unable to verify the master's
>>>>> cert.  I would note that using refreshOnly is ill-advised.
>>>> Hi Quanah,
>>>> Why is RefreshOnly ill-advised?  That is the recommendation in the docs
>>>> (very timely as I just set this up again myself).
>>>> re:  http://www.openldap.org/doc/admin24/replication.html
>>> The admin guide has examples, not recommendations.  In any case, I fully
>>> intend to change those examples to be refreshAndPersist so people stop
>>> defaulting to refreshOnly.  It is not always reliable, and your
>>> significantly delay your replication by using it.
>> Of course, it may be the only thing that works reliably if you have a
>> firewall that silently kills old connections.
>> The examples should stand as-is. We cannot predict what environment it's
>> going to be deployed in. It's up to administrators to use their brains
>> and know these details of their network.
> I think at the least we should document both.  Virtually everyone takes the
> admin guide verbatim without comprehending what it is they are doing. Giving
> them two options would hopefully at least make them have to consider why
> there are multiple options.
> --Quanah
> --
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration