LDAP replication stop working on ldapssl

[premoddev]

Hi,

I have changed ldap to ldaps ( as per How to enable ldaps - Zimbra :: Wiki ) in the master and replica ldap servers in my multiserver setup. But after this replication is not happening, and suddenly I reverted the change and working now.

What is wrong with ldaps, is not supported in the Multi server install setup.


Thanks,
Premod

[uxbod]

Do you have a firewall in between the two servers ? Are you running IPtables at all ?

[premoddev]

Hi Uxbod,


There is no firewall between the servers, and I am able to telnet to port 636 from replica to master and vice versa.

Actually while trying zmcontrol status on the replica I am getting the following error.
zimbra@email:~$ zmcontrol start
Host xxxx.yyyy.com
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

#!Premod

[premoddev]

Update...

I have done two new installations in which I have changed the ldap to ldaps at the installation time in the Master and replica servers.

After the installation of the master i have created some accounts and tried the replica server. Still I am not able to start the services in the replica.

But when I list the directory in the replica using slapcat, I am able to see the accounts which I created before installing replica server. That means in the install time it got connected to the master and got the database and cached locally.

But new entries are not coming to replica after the installation of replica.


Help on this topic is really appreciated.

#!Premod

[quanah]

If all you are doing is trying to connect securely, we default to using startTLS, the RFC defined method for doing secure communications over the LDAP protocol. LDAPS was a scheme that was done with LDAPv2 because there was no official method for doing secure connections over the LDAP protocol. There's generally never a reason to use LDAPS instead of LDAP as long as you are using startTLS. If you change your configuration to use LDAPS, you're going to have to modify everything that was set to use startTLS to stop using it, since the two are not compatible.

[premoddev]

Thanks Quanah,

All I want is the secure communication between the servers, if startTLS is there on the port 389, I dont require SSL over ldap.

And one more thing, can you confirm the address book is also accessible on startTLS or it is simply ldap. If that also secure I am fine for the current setup.


Thanks in advance

#!Premod

[quanah]

It's accessible either way, in the current 5.0 series. This will be changed in the 6.0 series to allow the admin to configure whether or not to allow plain LDAP access:

Bug 20739 – make force-TLS for LDAP configurable

and whether or not to allow anonymous access (secure or not):

Bug 15378 – Obviate the need for and disallow LDAP anonymous binds

[premoddev]

Hi quanah,

I am using zimbra network edition 5.0.10, and you are telling currently the version 5 will work for both plain ldap and ldap+tls. But my experience for accessing address book using TLS is a flop, but plain ldap is working fine for clients like Thunderbird and Evolution.

And also clients like Thunderbird does not support ldap+tls but ldap+ssl is supported.


Thanks,

#!Premod