[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS vs. MirrorMode replication

To: openldap-technical@openldap.org
Subject: Re: TLS vs. MirrorMode replication
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Mon, 20 Apr 2009 08:29:31 +0200
In-reply-to: <61e72ca20904191420y208ac52fl73ee8fd9e8a316db@mail.gmail.com> (Maros Timko's message of "Sun, 19 Apr 2009 22:20:18 +0100")
References: <61e72ca20904181430y491f23d8i9f36acaf5c8cb263@mail.gmail.com> <61e72ca20904191420y208ac52fl73ee8fd9e8a316db@mail.gmail.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Maros Timko <timkom@gmail.com> writes:

> Hi all,
>  
> we use OpenLDAP 2.4.11 on CentOS 5 for OS user PAM authentication in Xen-based
> HA cluster of 2 nodes. We are using MirrorMode replication so that databases
> are synchronised if change occurs on any node and there is no issue if one
> node goes down - each node maintains its own database. We use non-TLS local
> LDAP access (127.0.0.1) on Dom0 and TLS from virtual machines to LDAP.
> As soon as LDAP replication is set up in non-TLS way, everything works fine.
> But we are trying to set up TLS also for replication to bring more security
> into the system. However, it seems like there is a principial issue here - one
> cannot specify client access config for local access and for remote
> replication at the same time. Or can we?
> If we define client config to use TLS for the peer, then each local request
> goes to peer node. If the peer is down, the request will fail and user cannot
> log in into the OS. It looks like syncrepl requires client configuration to
> the peer.
> We tried to use "start_tls" option in syncrepl section but we still fail to
> connect to peer node. From the replies on the list I assume, TLS options in
> syncrepl section are just supposed to overwrite default settings, not to
> specify explicit option for it.
>  
> Questions:
>  - Is it possible to use local LDAP database locally together with TLS-enabled
> replication in a cluster?
>  - Is anybody running such or similar setup successfully?
>  - What would you suggest, if it is not possible?

In a proper designed and configured TLS session, the client has to
verfiy the host certificate DN, if the client has to switch to a
mirrored node the the certificate DN may note meet the verfication
requirements. 
In order to solve this, a host certificate may extended to a
subjectAltName attribute. This can be achieved by editing the [
user_cert ] section of openssl.cnf.
The entry could be something like 
subjectAltName=DNS:ldap.example.com,DNS:localhost

-Dieter 
-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

References:
- TLS vs. MirrorMode replication
  - From: Maros Timko <timkom@gmail.com>

Prev by Date: TLS vs. MirrorMode replication
Next by Date: Adding OU with PSQL backend
Index(es):
- Chronological
- Thread