[email protected] wrote: > At the moment, I still update LDAP certificates by hand. All previous certs > used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May 4th, > moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL CA 3". I had > to generate a new cert after that date... so I added in the new CA certs into > my CACert file on both ends. But replication is failing with the new cert, > works fine with the old cert: > > May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect: > URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1) > May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1 retrying > > Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and that > didn't change anything. If I move back to the old cert (expires tomorrow) > replication works again so probably not a password issue. > > Any suggestions for debugging this further?
Try to connect to the server using ldapsearch -d-1 using the new cert and examine the debug output. > > thanks, > ds > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
