If I moved either entries service fails to start. -----Original Message----- From: Michael Ströder [mailto:[email protected]] Sent: Monday, May 23, 2011 10:15 AM To: Darouichi, Aziz Cc: [email protected] Subject: Re: TLS replication/SALS bindmethod
Darouichi, Aziz wrote: > I configured Muti-master replication, everything worked fine till I hashed > rootpw to confirm to a hardcoded password in Oracle. > I configured OpenLDAP servers to us SALS. This is my configuration. > provider=ldap://xxx.xxx.xxx:389 > bindmethod=sasl > saslmech=external > starttls=yes > tls_cert=/etc/pki/tls/certs/slapd.pem > tls_key=/etc/pki/tls/private/ldap.pem > tls_cacert=/etc/pki/tls/certs/ca-bundle.crt > tls_reqcert=demand > binddn="cn=ldap,dc=establishment,dc=edu" > credentials={SSHA}2vNffW+5hEolqIykgH9tCpxq9jTTVSSu > searchbase="dc=establishment,dc=edu" > schemachecking=on > type=refreshAndPersist > retry="60 +" I don't understand why you use bindmethod=sasl saslmech=external and binddn="cn=ldap,dc=establishment,dc=edu" credentials={SSHA}2vNffW+5hEolqIykgH9tCpxq9jTTVSSu together. Anyway you have to provide the clear-text password here since the consumer is a LDAP client. > when I run ldapsearch against servers I get response from both machines. > ldapsearch -H ldap://server.establishment.edu -D > "cn=ldap,dc=establishment,dc=edu" -w "PASSWORD" -x -b "dc=establishment > ,dc=edu" "(objectclass=*)" uid. > This what I get in the logs: > May 23 09:37:01 ldap1 slapd[1559]: slap_client_connect: > URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6) > May 23 09:37:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying > May 23 09:37:58 ldap1 slapd[1559]: conn=5220 op=0 do_extended: unsupported > operation "1.3.6.1.4.1.1466.20037" > May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect: > URI=ldap://xxx.xxx.edu:389 Warning, ldap_start_tls failed (2) > May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect: > URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6) > May 23 09:38:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying This basically means that TLS is not properly configured at the provider. Ciao, Michael.
