[Pkg-openldap-devel] Bug#512785: Bug#512785: slapd: syncrepl client fails TLS unless server also has TLS
Quanah Gibson-Mount
quanah at zimbra.com
Fri Jan 23 19:52:42 UTC 2009
--On Friday, January 23, 2009 10:49 AM -0700 Rob Sims
<debbugs-z at robsims.com> wrote:
> Package: slapd
> Version: 2.4.11-1
> Severity: normal
>
> With the following entry in slapd.conf:
> syncrepl rid=123
> provider=ldaps://ldap.server.name.com:636/
> tls_cacert=/etc/ssl/certs/homegencert.pem
> type=refreshAndPersist
> interval=01:00:00:00
> retry="60 2 3600 +"
> searchbase="dc=server,dc=name,dc=com"
> bindmethod=simple
> binddn=cn=client,dc=server,dc=name,dc=com
> credentials=therealpasswordwashere
>
> The following error is logged:
> slap_client_connect: URI=ldaps://ldap.server.name.com:636/ TLS context
> initialization failed (-1) do_syncrepl: rid=123 retrying (1 retries left)
>
> The problem goes away if I set server side parameters
> TLSCACertificateFile, TLSCertificateFile, and TLSCertificateKeyFile to
> valid values (I didn't try any smaller sets).
tls_cacert is, as is stated in the docs, an override, not an
initialization. I.e., for it to work, there must be a default server
configuration first. There is no bug here.
>From slapd.conf(5):
The tls_reqcert setting defaults to "demand" and the other TLS settings
default to the same as the main slapd TLS settings.
This definitely could be clearer as to what it means, I'll follow up
upstream.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the Pkg-openldap-devel
mailing list