[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl fails after upgrade to openldap 2.4.45

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: syncrepl fails after upgrade to openldap 2.4.45
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 29 Jun 2017 16:07:57 +0100
Cc: Juergen.Sprenger@swisscom.com, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <EB43C95A561D9851A1E7B2EA@[192.168.1.30]>
References: <a146956554c84b45bef9b9971741aebc@SG001738.corproot.net> <WM!83b92ebed934ebe68e0b1dc3ed2accc9cb98ac847bcfd9714b8b1e4b01031a374101e479b843c68909ce2ce76d79a653!@mailstronghold-2.zmailcloud.com> <4304E977C4D48D8E6E0E28CB@[192.168.1.30]> <d0ca020553594d2b94f80f62c1c71a9b@SG001738.corproot.net> <WM!3470a551096318d7efa891d2ba41b33a7f21387f45458615cdacf779605166fb54505bee8a911e1b6f88b8a3a79918ef!@mailstronghold-1.zmailcloud.com> <DAEF7F7C3CC886DD2709775B@[192.168.1.30]> <f4e35c590dc1467889eb73f2899b1fa3@SG001738.corproot.net> <WM!87b7759dc62e9dcffcfc469613f983941eeba143c0d4e7f7b6afbbb301e9a1026ec45a6fa0e21de2a689756fc211bdce!@mailstronghold-3.zmailcloud.com> <EB43C95A561D9851A1E7B2EA@[192.168.1.30]>
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Jun 26, 2017 at 11:09:43AM -0700, Quanah Gibson-Mount wrote:

> Now you're switching topics.  Your original mail did not include
> cert authentication, it used simple binds:
> 
> syncrepl rid=000
>  provider=ldaps://ldap.dannatu.ch:636
>  type=refreshAndPersist
>  retry="5 5 300 +"
>  searchbase="dc=dannatu,dc=ch"
>  attrs="*,+"
>  scope=sub
>  bindmethod=simple
>  binddn="cn=Manager,dc=dannatu,dc=ch"
>  credentials=**************
> 
> 
> Either way, cert authentication AND TLS encrypted syncrepl both work
> for me with OpenSSL 1.0.2l and OpenLDAP 2.4.45 just fine, so I would
> have to again guess issues with proper TLS configuration.

It seems that the CA cert was never referenced in the syncrepl clause, so
it would have dropped back to whatever TLS config was in the LDAP *client*
config file (probably /etc/ldap/ldap.conf). I seem to remember a change in
behaviour of OpenSSL libs a while ago where I was bitten by something
similar. Maybe Juergen's earlier setup used ldap.conf and the new one
is ignoring it?

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- syncrepl fails after upgrade to openldap 2.4.45
  - From: <Juergen.Sprenger@swisscom.com>
- Re: syncrepl fails after upgrade to openldap 2.4.45
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: <Juergen.Sprenger@swisscom.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: Quanah Gibson-Mount <quanah@symas.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: <Juergen.Sprenger@swisscom.com>
- RE: syncrepl fails after upgrade to openldap 2.4.45
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: [Q] can I replicate several branches to the same slave from one master?
Next by Date: Re: syncrepl fails after upgrade to openldap 2.4.45
Index(es):
- Chronological
- Thread