RE: [EXTERNAL] Re: back-ldap and ldaps not working

[Quanah Gibson-Mount <quanah@symas.com>]

--On Friday, July 07, 2017 8:10 PM +0000 Jon C Kidder <jckidder@aep.com> 
wrote:

> I've removed the starttls=no syntax and the line now reads.
>
> olcDbStartTLS: ldaps
> tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer  "
> tls_reqcert=demand tls_crlcheck=none
>
> I have verified the change propagated to the configuration directory and
> restarted the instance.   I saw no errors during configuration parsing in
> the log.  I am still seeing this error when the chain overlay tries to
> follow the referral but no complaints when syncrepl connects.

I'm not sure how you do this with cn=config.  With slapd.conf, it would be 
done via using "chain-tls" and not "tls", as per the man page:

      There   are  very  few  chain  overlay  specific  directives; 
however,
      directives related to the instances of the ldap  backend  that  may 
be
      implicitly  instantiated  by  the  overlay may assume a special 
meaning
      when used in conjunction with this  overlay.   They  are  described 
in
      slapd-ldap(5), and they also need to be prefixed by chain-.

It may be worthwhile to set up a slapd.conf where "chain-tls" is specified, 
and see what happens with that on conversion.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>