LDAP replica not working and is out of sync
Hello,
We have a 2 server setup which started to have some ldap replica sync problems.
The 2 servers were recently upgraded to zcs 7.1.2 and the self signed certificates renewed using the admin console for all services.
After a few days we noticed that the ldap replica is not in sync with the master and generating the following in the zimbra.log:
Sep 29 00:21:47 zcs-mta slapd[4242]: @(#) $OpenLDAP: slapd 2.4.25 (Jul 6 2011 13:32:14) $ ^Iroot@zre-ubuntu10-64:/home/build/p4/HELIX/ThirdParty/openldap/openldap-2.4.25.4z/servers/slapd
Sep 29 00:21:48 zcs-mta slapd[4243]: slapd starting
Sep 29 00:21:48 zcs-mta slapd[4243]: slap_client_connect: URI=ldap://enterprisemail.vps-host.net:389 Error, ldap_start_tls failed (-11)
Sep 29 00:21:48 zcs-mta slapd[4243]: do_syncrepl: rid=100 rc -11 retrying
Here is what i already tried:
1. resync replica with master data and restart it using these steps:
LDAP data import export - Zimbra :: Wiki
2. checked ldapsearch from replica to query the master which is working fine using TLS:
zimbra@zcs-mta:~$ ldapsearch -ZZ -x -H ldap://<masterldap>:389/ -D "uid=zimbra,cn=admins,cn=zimbra" -b "" -s base -W +
3. checked the ca.pem on both master and replica, both are self signed certs and not outdated.
4. tried copying the ca.key and ca.pem from the master to the replica and re-create the links with c_rehash but still no go.
Any ideas are much appreciated.
Thank you.
Official instructions to turn off TLS
Quote:
Originally Posted by
emarton 
The only solution we have for now on this from zimbra support is to disable TLS from replica to master.
This got ldap replication working.
Edit /opt/zimbra/data/ldap/config/cn\=config/olcDatabase\=\{2\}hdb.ldif
Find: "olcSyncrepl:"
Change:
from:
credentials=rGMzwLka starttls=critical filter="(objectclass=*)"
to:
credentials=rGMzwLka filter="(objectclass=*)"
and restart ldap.
Thanks a lot for posting your solution, it's also working for us. When we've made the change in olcDatabase={2}hdb.ldif we got another error. After some research you can now turn TLS off with a nice command:
Code:
/opt/zimbra/libexec/zmldapreplicatool -t off
Check the official documentation for more information: Turning off starttls for replication - Zimbra :: Wiki besides, looks liked our password in olcDatabase={2}hdb.ldif was wrong defined too.
