Windl, Ulrich wrote: > Hi! > > I have a related question: I replaced our certificate with a refreshed one > (keeping the key and filename). > Does OpenLDAP cache the certificate, or does it read it anew every time it's > needed (i.e.: do I have to restart the server?)? I'm using cn=config, just in > case.
The behavior depends on the particular TLS library being used. Pretty sure that OpenSSL caches the file. You don't need to restart the server, just ldapmodify the setting in cn=config. You can replace it with the same name as before, if you just want it to reload the same file. > > Kind regards, > Ulrich Windl > >> -----Original Message----- >> From: [email protected] <[email protected]> >> Sent: Wednesday, May 13, 2026 7:32 PM >> To: [email protected] >> Subject: [EXT] issue with new cert (now using CN = InCommon RSA OV SSL CA >> 3) >> > >> At the moment, I still update LDAP certificates by hand. All previous certs >> used "C = US, O = Internet2, CN = InCommon RSA Server CA 2" but on May >> 4th, moved to "C = US, O = "InCommon, LLC", CN = InCommon RSA OV SSL CA >> 3". I had to generate a new cert after that date... so I added in the new CA >> certs into my CACert file on both ends. But replication is failing with the >> new >> cert, works fine with the old cert: >> >> May 13 13:26:21 HOSTNAME slapd[4076661]: slap_client_connect: >> URI=ldap://master_vip_name/ ldap_sasl_interactive_bind_s failed (-1) >> May 13 13:26:21 HOSTNAME slapd[4076661]: do_syncrepl: rid=101 rc -1 >> retrying >> >> Tried changing tls_reqcert to never in ldap.conf and in the syncrepl and that >> didn't change anything. If I move back to the old cert (expires tomorrow) >> replication works again so probably not a password issue. >> >> Any suggestions for debugging this further? >> >> thanks, >> ds -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
