[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: syncrepl with x509 certificates
Hi,
Alex Samad <alex@samad.com.au> writes:
> On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
>> Howard Chu <hyc@symas.com> wrote:
>>
>> > > a) a way to specify another certificate to use in the syncrepl config
>> > In OpenLDAP 2.4, yes. Read the manpage.
>>
>> With 2.3, if a different cn is needed for the ldaps server and the
>> syncrepl client, a certificate with subjectAltName may help.
> its not the name.
>
> There seems to be 2 scenario's that a cert is used,
>
> 1) as a server to verify that you have connected to the right machine and to
> ensure you packets are encrypted. This requires a certificate with purpose SSL
> Server
> 2) as a client when a ldap server in a syncrepl setup is talking to the master
> server. This requires a certificate with purpose SSL Client.
>
> I am trying to find out if it is possible to use a different certificate for
> the syncrepl process, but I can't find it. Maybe its in saslmech option.
You may use the sasl external mechanism and create a certificate with
a DN matching the bindDN (although you don't have to define a binddn).
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6