Hi, If your certificate is self-signed, try to remove this line:
olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem Keep only olcTLSCertificateFile and olcTLSCertificateKeyFile Best regard, cyrill gremaud On 20 Oct 2014, at 17:07, Elmopi, Stefano <[email protected]<mailto:[email protected]>> wrote: Hi, I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical CentOS release 6.5 rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64 Provider config, file cn\=config.ldif olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL olcTLSVerifyClient: never Consumer config: olcSyncrepl: {0}rid=000 provider=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/> starttls=yes type=refreshonly retry="5 5 300 +" searchbase="dc=example,dc=it" attrs="*,+" bindmethod=simple binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it" credentials=xxxxxxx interval=60 and, in /etc/openldap/ldap.conf TLS_CACERT /etc/openldap/certs/ldapscert.pem TLS_REQCERT never the certificate is self-signed On the slave, if I try the following command: ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v everything is ok but when I try to use TLS in replication, the process goes wrong. In the Provider log: connection_get(16) connection_get(16): got connid=1030 connection_read(16): checking for input on id=1030 connection_read(16): TLS accept failure error=-1 id=1030, closing connection_closing: readying conn=1030 sd=16 for close connection_close: conn=1030 sd=16 daemon: activity on 1 descriptor daemon: activity on: In the Consumer log: slapd[6508]: =>do_syncrepl rid=000 slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/> Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it<http://ldpsoc01devpom.sociale.it/> DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=000 rc -1 retrying (3 retries left) daemon: activity on 1 descriptor daemon: activity on: Help, I do not know where to turn !!!! Thanks Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:[email protected]<mailto:email%[email protected]> "Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003), le informazioni contenute nella presente @mail sono di natura riservata e destinate ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali, pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere, copiare, usare o diffondere il contenuto della presente @mail senza autorizzazione. Se avete ricevuto questa @mail per errore, siete pregati di rispedire la stessa al mittente. Grazie"
