At the moment, I still update LDAP certificates by hand.  All previous certs 
used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May 4th, 
moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL CA 3".  I had 
to generate a new cert after that date... so I added in the new CA certs into 
my CACert file on both ends.  But replication is failing with the new cert, 
works fine with the old cert:

  May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect: 
URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1)
  May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1 retrying

Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and that 
didn't change anything.  If I move back to the old cert (expires tomorrow) 
replication works again so probably not a password issue.

Any suggestions for debugging this further?

thanks,
ds

Reply via email to