On Mon, Mar 31, 2025 at 06:42:51AM +0000, Windl, Ulrich wrote: > In my test environment (using openLDAP 2.5) the certificate used to > authenticate syncrepl expired Friday night, so when returning on > Monday, I was expe4cting error from syncrepl, but I did not see any. I > suspect that this is due to persistent connections are being used. > I see a big danger there: > The operator may not notice that the certificated had expired as > syncrepl still works (it seems, but there were no actual changes over > the weekend)). However (as I understand it), syncrepl will start to > fail once the network causes the persistent connection to fail, or a > server is restarted.
Correct. > So I wonder: Is there a way to recognize expiration of the > certificate? Maybe by limiting the life-time of a persistent > connection, or slapd/syncrepl doing explicit checks on the > certificate? To prevent these things from ever becoming a problem, you set up monitoring, just like with disk/mdb space, ... If you're talking about a client certificate here, you generally have two options, either use a tool that reads the actual file or let whatever tool/solution you used to issue that certificate to help remind you a new one needs to be issued. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
