Never mind. I had to put this line in the sysrepl section of the slave
starttls=yes Sorry about the noise. On Sun, May 27, 2012 at 10:29 PM, zhong ming wu <[email protected]> wrote: > Hello > > I am using version 2.4 and in the process of setting up a master/slave > pair using syncrepl. > > This is working as expected if I don't have enforce security and > confidentiality with "security ssf=128" global directive in the > master. > As soon as I turn it on, replication stops working. > > It seems that the slave consumer is not using TLS to connect to > master. However I can use 'ldapsearch' with '-ZZ' option to connect > to master from slave and get all records I want. > > On my slave machine, I also have the following directive > > TLS_CACERT /etc/pki/tls/certs/ca.crt.crl > > in ldap.conf > > Notice that without this line 'ldapXXX' commands with '-ZZ' fails from > slave to master. This confirms that at least 'ldap.conf' is in the > correct location at least as far as 'ldapXXX' commands are concerned. > > Can someone point me in the right direction? I have read many > chapters on this page > > http://www.openldap.org/doc/admin24/index.html > > Both slave and master are on centos 6.2 and openldap software is > standard centos rpm. > > Here are the log entries on the master when slave fails to bind with TLS > > May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 ACCEPT from > IP=192.168.0.2:41083 (IP=0.0.0.0:389) > May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 BIND > dn="cn=root,dc=example,dc=com" method=128 > May 27 22:14:53 cat slapd[2456]: conn=1000 op=0 RESULT tag=97 err=13 > text=confidentiality required > May 27 22:14:53 cat slapd[2456]: conn=1000 op=1 UNBIND > May 27 22:14:53 cat slapd[2456]: conn=1000 fd=13 closed > > Sincerely > > Mr Wu
