[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err

To: "Quanah Gibson-Mount" <quanah@zimbra.com>
Subject: Re: Sync Replication via TLS/SSL - get bind err
From: "Chris G. Sellers" <Chris.Sellers@nitle.org>
Date: Thu, 20 Dec 2007 14:26:16 -0500
Cc: openldap-software@openldap.org
In-reply-to: <CEBCD4F5C8849147CEF5FE3E@deus-ex.zimbra.com>
References: <D278B031-92C5-4440-A308-B774FAF97C12@nitle.org> <46537D1384520507379A4AA3@deus-ex.zimbra.com> <93730927-B1AE-4803-B853-87C7B5A446C1@nitle.org> <02171479-05B3-436A-A1FC-4B7E872E9C29@nitle.org> <CEBCD4F5C8849147CEF5FE3E@deus-ex.zimbra.com>

I did not, as I didn't see it in the specification (although I didn't read the source code or the man page for slapd.conf) If I look at the man page I see there is an option starttls=yes. I tried that on the slave and sniffed, and VIOLA, I can see the TLS do the handshake for the certificate.

If someone can update the Admin guide to include the starttls option that would be cool . Below is what is posted in the admin23 doc and the man page from 2.3.xx is below that. (I remember now why I love MAN pages) Thanks Quanah.

  syncrepl rid=<replica ID>
                provider=ldap[s]://<hostname>[:port]
                [type=refreshOnly|refreshAndPersist]
                [interval=dd:hh:mm:ss]
                [retry=[<retry interval> <# of retries>]+]
                [searchbase=<base DN>]
                [filter=<filter str>]
                [scope=sub|one|base]
                [attrs=<attr list>]
                [attrsonly]
                [sizelimit=<limit>]
                [timelimit=<limit>]
                [schemachecking=on|off]
                [bindmethod=simple|sasl]
                [binddn=<DN>]
                [saslmech=<mech>]
                [authcid=<identity>]
                [authzid=<identity>]
                [credentials=<passwd>]
                [realm=<realm>]
                [secprops=<properties>]

syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] searchbase=<base DN> [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [starttls=yes|critical] [bindmethod=simple| sasl] [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] [logbase=<base DN>] [logfilter=<filter str>] [syncdata=default|accesslog|changelog]


On Dec 20, 2007, at 2:09 PM, Quanah Gibson-Mount wrote:

Did you add the startTLS directive to your syncrepl configuration?
--Quanah
--On December 20, 2007 2:02:05 PM -0500 "Chris G. Sellers"
<chris.sellers@nitle.org> wrote:
> No - I didn't understand you correctly. I switched back to ldap://:389 > and sniffed and it was all there in the clear. > > > I need to encrypt the communication (and binding) of the replication from > the Master to the Slave. I can not seem to get it to work and I can't > find the documentation where it shows how to set the replication for the > syncrepl to be SSL or TLS. > > > Sellers > > > > On Dec 20, 2007, at 1:22 PM, Chris G. Sellers wrote: > > > I think I see what you are saying. The ldaps: is forcing the implied > SSL not startTLS. Thanks for making me think different. > > > so now I just need to switch back to ldap:// and make sure TLS is setup > and sniff to make sure the traffic is encrypted. > > > Thanks > > > Sellers > > > > On Dec 20, 2007, at 11:54 AM, Quanah Gibson-Mount wrote: > > > > > > --On December 20, 2007 11:03:44 AM -0500 "Chris G. Sellers" > <chris.sellers@nitle.org> wrote: > > which suggests that the connection could not be made on port 389 via > TLS. > > I can't figure out how to tell the repl connection to send a > certificate. > > Do I have to setup a user in LDAP with a cert? Do I put a client cert > > into the syncrepl section of the slapd.conf file on the slave? Please > > advise. > > You are confused. LDAPv3 startTLS is used to encrypt connections over port > 389 (or other ports). The Ldapv2 HACK to do TLS over port 636 (ldaps://) > is the other way of doing SSL encryption. You are mixing these two very > different mechanisms. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > > > > > ______________________________________________ > Chris G. Sellers | NITLE Technology > 734.661.2318 | chris.sellers@nitle.org > AIM: imthewherd | GTalk: cgseller@gmail.com > > > > > > ______________________________________________ > Chris G. Sellers | NITLE Technology > 734.661.2318 | chris.sellers@nitle.org > AIM: imthewherd | GTalk: cgseller@gmail.com
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


______________________________________________
Chris G. Sellers			|	NITLE Technology
734.661.2318			|	chris.sellers@nitle.org
AIM: imthewherd			|	GTalk: cgseller@gmail.com

References:
- Sync Replication via TLS/SSL - get bind err
  - From: "Chris G. Sellers" <chris.sellers@nitle.org>
- Re: Sync Replication via TLS/SSL - get bind err
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Sync Replication via TLS/SSL - get bind err
  - From: "Chris G. Sellers" <Chris.Sellers@nitle.org>
- Re: Sync Replication via TLS/SSL - get bind err
  - From: "Chris G. Sellers" <chris.sellers@nitle.org>
- Re: Sync Replication via TLS/SSL - get bind err
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Sync Replication via TLS/SSL - get bind err
Next by Date: Re: Sync Replication via TLS/SSL - get bind err
Index(es):
- Chronological
- Thread