[Date Prev][Date Next]
Re: Syncrepl SSL fail
tls_reqcert=never is necessary for the replication. If it is not
defined, I get an error.
The weird thing, is that I do have the same configuration on another
host, running Debian Lenny with slapd version 2.4.23-3 and I don't
have to define this parameter.
The server I report the error, is running 2.4.23-7 on Squeeze.
Is there any way to explain this difference ?
On 17 October 2011 04:27, Quanah Gibson-Mount <firstname.lastname@example.org> wrote:
> --On Sunday, October 16, 2011 12:51 AM -0700 Howard Chu <email@example.com>
>> Quanah Gibson-Mount wrote:
>>> --On October 13, 2011 10:43:55 AM -0700 Josh Miller
>>> <firstname.lastname@example.org> wrote:
>>>> On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
>>>>> I don't see any of the tls_* options to the syncrepl configuration
>>>>> here. Likely the syncrepl client is unable to verify the master's
>>>>> cert. I would note that using refreshOnly is ill-advised.
>>>> Hi Quanah,
>>>> Why is RefreshOnly ill-advised? That is the recommendation in the docs
>>>> (very timely as I just set this up again myself).
>>>> re: http://www.openldap.org/doc/admin24/replication.html
>>> The admin guide has examples, not recommendations. In any case, I fully
>>> intend to change those examples to be refreshAndPersist so people stop
>>> defaulting to refreshOnly. It is not always reliable, and your
>>> significantly delay your replication by using it.
>> Of course, it may be the only thing that works reliably if you have a
>> firewall that silently kills old connections.
>> The examples should stand as-is. We cannot predict what environment it's
>> going to be deployed in. It's up to administrators to use their brains
>> and know these details of their network.
> I think at the least we should document both. Virtually everyone takes the
> admin guide verbatim without comprehending what it is they are doing. Giving
> them two options would hopefully at least make them have to consider why
> there are multiple options.
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> Zimbra :: the leader in open source messaging and collaboration