[email protected] wrote:
> At the moment, I still update LDAP certificates by hand.  All previous certs 
> used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May 4th, 
> moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL CA 3".  I had 
> to generate a new cert after that date... so I added in the new CA certs into 
> my CACert file on both ends.  But replication is failing with the new cert, 
> works fine with the old cert:
> 
>   May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect: 
> URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1)
>   May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1 retrying
> 
> Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and that 
> didn't change anything.  If I move back to the old cert (expires tomorrow) 
> replication works again so probably not a password issue.
> 
> Any suggestions for debugging this further?

Try to connect to the server using ldapsearch -d-1 using the new cert and 
examine the debug output.
> 
> thanks,
> ds
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to