Re: Single-master replication over TLS fails in 2.4.15

["Brian A. Seklecki" <lavalamp@spiritual-machines.org>]

On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:
> >
> > In 2.4, if you configure syncrepl over TLS and omit the new options,
> > does OpenLDAP use the values that are configured for the server
> > certificate settings (TLS*), if any?
> 
> That's already explicitly stated in the slapd.conf(5) manpage.
> 
> > If so, I'm confused as to why it
> > failed for me originally.
> 
> I have no idea, it works for me.


Meh!

Craig:
  Try issuing two certs for your replica.  One for the "server"
  services, one for the "client" service.
   
  Sign them both by the same Root CA, or two different intermediary CAs
  (which you can daisy chain), but differentiate them with Netscape
  Certificate Use extensions for your own reference

OpenSSL.cnf:

 [ v3_req_ext ]
 subjectAltName=email:copy
 nsCertType = client, email, objsign
 # .2 = Client, .1 = Server
 extendedKeyUsage = 1.3.6.1.5.5.7.3.2
 # extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 # Other Variation
 extendedKeyUsage=serverAuth
 extendedKeyUsage=clientAuth


For example, your replica may sync with your master using a management
interface which it sources its client TCP connection to the master from:

e.g.,  some-name.facil.organization.tld

   -- The client cert will be signed with this hostname in the CN=

Then, it may serve its LDAP replia off of a "service VIP", possibly a
HA/Load-Balanced IP address:

e.g., ldap.organization.tld

The Server cert can be signed with this hostname in the CN=

I'm hoping to maybe submit some massive documentation improvements that
outline sound practices and affiliated recommended configurations.



~BAS