[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: Howard Chu <hyc@symas.com>
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Tue, 24 Jul 2007 08:02:36 +0000
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <46A586FD.7060008@symas.com>
References: <20070723135119.GC13339@NetBSD.org> <46A586FD.7060008@symas.com>
User-agent: Mutt/1.4.2.3i

On Mon, Jul 23, 2007 at 09:58:37PM -0700, Howard Chu wrote:
> ># Cannot get this working!
> >#TLS_CRLCHECK   peer
> 
> This only works with recent OpenSSL 0.9.8 releases. You didn't mention 
> which version of OpenSSL you're using. And since this entire subject is 
> purely an OpenSSL matter and not an LDAP matter, that's a pretty key piece 
> of information.

I used 0.9.7d. 
That information (a minimal version of OpenSSL is required for it to work)
is quite important. Where was I supposed to find it? I've lost a few hours
trying to get CRLworking, I'd have been better reading the right document.

> >In order to have this working, we need x509 certificate that have
> >the subjectAltName extension. This is not an OpenLDAP-specific problem,
> >but the information about how to do it seems difficult to find, hence,
> >here is the result of my experiments.
> The information is all at your fingertips. You just haven't absorbed it yet.

I beleive the information (which exists, I agree) is not very well oriented
for the newcomer that tries to set up a new configuration.

> Also note "subject alternative name" means exactly that - it lists 
> *alternative* names for the identity. You don't have to list the real name 
> here, since that's already going into the subject CN. It does no harm, but 
> it does no good either. (And it makes your cert bigger than it needs to 
> be...)

Thanks for that hint.

> >Install ca.crt and srv1.crt (srv2.crt) on srv1 (srv2), and configure slapd,
> >with this in slapd.conf:
> >TLSCertificateFile      /etc/openssl/certs/srv1.crt
> >TLSCertificateKeyFile   /etc/openssl/private/srv1.key
> >TLSCACertificateFile    /etc/openssl/certs/ca.crt
> >TLSVerifyClient         allow
> >sasl-secprops none
> 
> Setting "sasl-secprops none" is never a good idea. Why did you put this 
> here?

I have users using plaintext login/password through TLS. Those are validated
through SASL. As I understood, using plaintext password requires 
"sasl-secprops none", is that wrong?

> No, that's not what it does. It turns off all security requirements in the 
> SASL layer, allowing all insecure mechanisms to be used. A rather big 
> mistake, after you've gone to the trouble of enabling secure authentication 
> with certificates.

In my setup, the syncrepl consumer uses certificate and gets sensitive 
information such as userPassword. Users can use plaintext password over
TLS and cannot get password hashes. Is it that odd?

-- 
Emmanuel Dreyfus
manu@netbsd.org

Follow-Ups:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Howard Chu <hyc@symas.com>

References:
- failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Next by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Index(es):
- Chronological
- Thread