On Wednesday, 20 October 2010 16:13:44 Thierry Lacoste wrote: > Hello, > > I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 > installed from Buchan Milne's repository (openldap2.4- > servers-2.4.20-1.el5). > > The first server is a Sync Provider. > The second is a consumer with 'starttls=critical'. > > I have no problem after 'yum update' of the master > (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK). > > But after 'yum update' of the slave, syncrepl won't work anymore > because of TLS failures. > > Here are the logs on the master : > Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd > 2.4.22 (Apr 27 2010 12:04:27) $ > [email protected]:/home/bgmilne/rpm/BUILD/ > openldap-2.4.22/servers/slapd > Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting > Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT > from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) > Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT > oid=1.3.6.1.4.1.1466.20037 > Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS > Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT > oid= err=0 text= > Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed > (TLS negotiation failure) > > Here are the logs on the slave : > Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd > 2.4.22 (Apr 27 2010 12:04:27) $ > [email protected]:/home/bgmilne/rpm/BUILD/ > openldap-2.4.22/servers/slapd > Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting > Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: > URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) > Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc > -11 retrying (4 retries left) > > ldapsearch from the slave can do TLS : > $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER > This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged > by CentOS > > Any ideas on how to troubleshoot the problem?
Note that the syncrepl statement now has its own tls configuration, see the options tls_cert, tls_key, tls_cacert, tls_cacertdir, tls_reqcert, tls_ciphersuite, tls_crlcheck to the syncrepl statement. Regards, Buchan
