[Date Prev][Date Next]
Re: (ITS#7042) [PATCH] allow unsetting of tls_* options for syncrepl
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7042) [PATCH] allow unsetting of tls_* options for syncrepl
- From: firstname.lastname@example.org
- Date: Mon, 12 Sep 2011 17:00:46 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Jan Vcelak
> Version: master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20110912-syncrepl-allow-unsetting-of-tls-options.patch
> Submission from: (NULL) (220.127.116.11)
> I'm just passing a patch submitted to our bugzilla:
> To sum it up: If tls_cert/tls_key syncrepl options are not specified, server
> setting is inherited and used. According to various reports on the Internet,
> this is a feature, not a bug.
Relying on hearsay "According to various reports on the Internet" is a stupid
way to get information, particularly when it's already documented in the
slapd.conf(5) and slapd-config(5) manpages.
> However it forces a replica to use a client
> certificate for authentication, because the tls_cert and tls_key options can not
> be disabled.
> The patch allows tls_* options to be disabled, like this: "tls_cert="
> Without the patch, "file not found" error will occur.
> The patch is written by the submitter of the bug report - Patrick Monnerat (pm
> at datasphere dot ch).
Thanks for passing along the report, but I'm not convinced this is a
legitimate issue. Servers that trust each other for replication should accept
each other's TLS certificates. As I see it, if their certs aren't working in
this configuration then their certificates were created with the wrong usage
flags, and this is not an OpenLDAP issue.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/