Re: TLS Replication that works for me (was Re: )

[John Beamon <jbeamon@franklinamerican.com>]

Daniel Crandall wrote:
> Hi,
> I added that line to the replica block in the slapd.conf, and viola!
> Fully encrypted update transmissions!
>
> Thanks a lot for the info.  I've been frustrated on this for a quite a
> while.
>
> Say, I was not having any luck locating this information in various docs.
> Can you tell me where you found out about that slapd.conf directive?
>
> Many many thanks again,
>
> Daniel
>
>
> -----Original Message-----
> From: Daniel Crandall [mailto:dcrandal@tdhca.state.tx.us]
> Sent: Wednesday, May 14, 2003 10:35 AM
> To: 'John Beamon'
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: TLS Replication that works for me (was Re: )
>
> Hi, thanks for your reply!
>
> I've got replication working, and I have the certificates generated.  No
> problems there.
> The slapd.conf details are I'm sure where I'm out in the weeds.
>
> Specifically, I didn't know about this
> tls=critical            # TLS = SSL-on-request, basically

There's a reference on "LDAP v3" at www.bayour.com/openldap/, and 
there's a sample "slapd.conf.txt" under that directory.  I didn't have 
predictable results with "tls=yes", and I never found "tls=critical" 
commonly suggested.  AFAIK, it requires that all replication attempts 
use TLS or fail and die.  Also, I learned after much searching that TLS 
does not require that you specify ldaps:// in any of the replication 
statements or connections back to the master.  Those details were the 
last brick for me, too.  That article also sets up Kerberos ticketing 
for authentication and a sort of single-sign-on system.

-j