[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Single-master replication over TLS fails in 2.4.15

To: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>
Subject: Re: Single-master replication over TLS fails in 2.4.15
From: Howard Chu <hyc@symas.com>
Date: Fri, 27 Feb 2009 15:05:37 -0800
Cc: Craig Worgan <worganc@nortel.com>, openldap-software@openldap.org
In-reply-to: <1235775118.15134.115.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com>
References: <87AC5F88F03E6249AEA68D40BD3E00BE19E45678@zcarhxm2.corp.nortel.com> <49A709CF.6090700@symas.com> <87AC5F88F03E6249AEA68D40BD3E00BE19E45C10@zcarhxm2.corp.nortel.com> <49A71E1E.8010200@symas.com> <1235775118.15134.115.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090227 SeaMonkey/2.0a1pre Firefox/3.0.3

Brian A. Seklecki wrote:

On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:

In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any?

That's already explicitly stated in the slapd.conf(5) manpage.

If so, I'm confused as to why it
failed for me originally.

I have no idea, it works for me.

Meh!

Craig:
   Try issuing two certs for your replica.  One for the "server"
   services, one for the "client" service.

   Sign them both by the same Root CA, or two different intermediary CAs
   (which you can daisy chain), but differentiate them with Netscape
   Certificate Use extensions for your own reference

You're assuming he even has a CA cert. From the looks of it, he's using a single self-signed cert for everything. The Admin Guide already tells you to use a CA cert and separate server and client certs, but some people just don't seem to bother reading or following docs. All the documentation in the world is useless if nobody pays any attention.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: Single-master replication over TLS fails in 2.4.15
  - From: "Craig Worgan" <worganc@nortel.com>

References:
- Single-master replication over TLS fails in 2.4.15
  - From: "Craig Worgan" <worganc@nortel.com>
- Re: Single-master replication over TLS fails in 2.4.15
  - From: Howard Chu <hyc@symas.com>
- RE: Single-master replication over TLS fails in 2.4.15
  - From: "Craig Worgan" <worganc@nortel.com>
- Re: Single-master replication over TLS fails in 2.4.15
  - From: Howard Chu <hyc@symas.com>
- Re: Single-master replication over TLS fails in 2.4.15
  - From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>

Prev by Date: Re: Single-master replication over TLS fails in 2.4.15
Next by Date: RE: Single-master replication over TLS fails in 2.4.15
Index(es):
- Chronological
- Thread