[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Method for specifying SyncRepl use of TLS (ITS#3293)



Given that an undocumented method does exist, we should
regard this ITS as a request to document that method.

Kurt

At 05:59 PM 8/20/2004, matt.smith@uconn.edu wrote:
>Full_Name: Matthew J. Smith
>Version: 2.2.15
>OS: SuSE Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (137.99.80.243)
>
>
>  In the SyncRepl configuration section of slapd.conf, there is no way to
>specify whether SyncRepl uses TLS or not.  It seems to use it automatically if
>it is available. A flag specifying would be very useful, allowing one to specify
>a plain-text replication (over a secured network, say) from a master that
>normally provides TLS.
>
>  My current issue is trying to build a new master that will be swapped in place
>of the current master.  The new master has an SSL certificate using the current
>master's CN (ldap.uconn.edu), so that the swap will be seamless.  However, I
>need to establish SyncRepl replication to a new replica.  The new replica cannot
>correctly use TLS to the master, because the cert CN does not match the
>DNS-resolved FQDN.
>
>  Currently, this will be overcome with /etc/hosts trickery, but a TLS flag
>would be simpler (for me).