[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Syncrepl SSL fail
From: Hugo Deprez <hugo.deprez@gmail.com>
Date: Mon, 17 Oct 2011 16:59:59 +0200
Cc: Howard Chu <hyc@symas.com>, Josh Miller <joshua@itsecureadmin.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=qehgmDSgOD2P80lrpsmVSUyu3HaCrkjlvrm9EF7mWT0=; b=T6Q9mizIJwRXPHF6NK1Nj7uXL2u5WkNWvlmubnvDWBYboZ/8Eqcqdq9aFR1mxZ/EkC nxWUEoWi0Avsv6Y4Vz10fpRDIQmDLcfGLi8lnU+eAwifpoNM+48r2h25u4ykhMMSxPoD iR7kfOCtxi9moOktuwPGHAbXoCsGw+uPIrszA=
In-reply-to: <48AE6F620108D3A8C0F0558F@192.168.1.23>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com> <48AE6F620108D3A8C0F0558F@192.168.1.23>

Hello,

tls_reqcert=never is necessary for the replication. If it is not
defined, I get an error.

The weird thing, is that I do have the same configuration on another
host, running Debian Lenny with slapd version 2.4.23-3 and I don't
have to define this parameter.

The server I report the error, is running 2.4.23-7 on Squeeze.

Is there any way to explain this difference ?

Regards,

Hugo


On 17 October 2011 04:27, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Sunday, October 16, 2011 12:51 AM -0700 Howard Chu <hyc@symas.com>
> wrote:
>
>> Quanah Gibson-Mount wrote:
>>>
>>>
>>> --On October 13, 2011 10:43:55 AM -0700 Josh Miller
>>> <joshua@itsecureadmin.com>  wrote:
>>>
>>>>
>>>> On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
>>>>>
>>>>> I don't see any of the tls_* options to the syncrepl configuration
>>>>> here. Likely the syncrepl client is unable to verify the master's
>>>>> cert.  I would note that using refreshOnly is ill-advised.
>>>>
>>>> Hi Quanah,
>>>>
>>>> Why is RefreshOnly ill-advised?  That is the recommendation in the docs
>>>> (very timely as I just set this up again myself).
>>>>
>>>> re:  http://www.openldap.org/doc/admin24/replication.html
>>>
>>> The admin guide has examples, not recommendations.  In any case, I fully
>>> intend to change those examples to be refreshAndPersist so people stop
>>> defaulting to refreshOnly.  It is not always reliable, and your
>>> significantly delay your replication by using it.
>>
>> Of course, it may be the only thing that works reliably if you have a
>> firewall that silently kills old connections.
>>
>> The examples should stand as-is. We cannot predict what environment it's
>> going to be deployed in. It's up to administrators to use their brains
>> and know these details of their network.
>
> I think at the least we should document both.  Virtually everyone takes the
> admin guide verbatim without comprehending what it is they are doing. Giving
> them two options would hopefully at least make them have to consider why
> there are multiple options.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
>
>

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Josh Miller <joshua@itsecureadmin.com>
- Re: Syncrepl SSL fail
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Syncrepl SSL fail
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: multi master no syncing.
Next by Date: Re: adding monitor to cn=config on already running slapd
Index(es):
- Chronological
- Thread