--On Friday, January 23, 2009 10:49 AM -0700 Rob Sims
<debbug...@robsims.com> wrote:
Package: slapd
Version: 2.4.11-1
Severity: normal
With the following entry in slapd.conf:
syncrepl rid=123
provider=ldaps://ldap.server.name.com:636/
tls_cacert=/etc/ssl/certs/homegencert.pem
type=refreshAndPersist
interval=01:00:00:00
retry="60 2 3600 +"
searchbase="dc=server,dc=name,dc=com"
bindmethod=simple
binddn=cn=client,dc=server,dc=name,dc=com
credentials=therealpasswordwashere
The following error is logged:
slap_client_connect: URI=ldaps://ldap.server.name.com:636/ TLS context
initialization failed (-1) do_syncrepl: rid=123 retrying (1 retries left)
The problem goes away if I set server side parameters
TLSCACertificateFile, TLSCertificateFile, and TLSCertificateKeyFile to
valid values (I didn't try any smaller sets).
tls_cacert is, as is stated in the docs, an override, not an
initialization. I.e., for it to work, there must be a default server
configuration first. There is no bug here.
From slapd.conf(5):
The tls_reqcert setting defaults to "demand" and the other TLS settings
default to the same as the main slapd TLS settings.
This definitely could be clearer as to what it means, I'll follow up
upstream.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
