[Pkg-openldap-devel] Bug#512785: slapd: syncrepl client fails TLS unless server also has TLS

[Rob Sims]

Package: slapd
Version: 2.4.11-1
Severity: normal

With the following entry in slapd.conf:
syncrepl rid=123
        provider=ldaps://ldap.server.name.com:636/
        tls_cacert=/etc/ssl/certs/homegencert.pem
        type=refreshAndPersist
        interval=01:00:00:00
        retry="60 2 3600 +"
        searchbase="dc=server,dc=name,dc=com"
        bindmethod=simple
        binddn=cn=client,dc=server,dc=name,dc=com
        credentials=therealpasswordwashere

The following error is logged:
slap_client_connect: URI=ldaps://ldap.server.name.com:636/ TLS context initialization failed (-1)
do_syncrepl: rid=123 retrying (1 retries left)

The problem goes away if I set server side parameters TLSCACertificateFile,
TLSCertificateFile, and TLSCertificateKeyFile to valid values (I didn't
try any smaller sets).

This server was intended to handle only local requests, so the server
side config should not be needed.  The working config does not include
ldaps, only the TLS parameters above.

The original config would work on occasion, indicating something that
syncrepl depends on is truly uninitialized if the server config is
absent.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash