[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Example for replication over SSL



Hi Leo!

As I have the same problem (and it's not working yet...) I sum up how I think it should look like, and I put my questions in, too.

The scenario you descibe is not too different from having two LDAP servers where at least the slave allows for TLS connections. The master should have a replica entry in the slapd.conf like

replica host=ldapslave.my.org tls=yes bindmethod=simple binddn="cn=manager, dc=my, dc=org" credentials=secret

See manpage slapd.conf(5). Unfortunately, the manpage refers to the Administrators Guide for further information. In fact, the manpage (at least on my install of 2.0.11) is more complete than the Administrators Guide.

So I don't know currently what the option tls=yes versus tls=critical means. If it is the same as the parameter -Z versus -ZZ for the clients, then of course you'd like to set tls=critical in order to firce the slurpd to connect via TLS. If anybody can give valid information on this, please jump in!

The rest depends on TLS configuration on the slave LDAP server.

Marian


Leo Cyr wrote:

I've read the "openldap 2.0 administrator's guide" and It makes reference
to secure replication; it even goes so far as to say it should be done no
other way unless the network is secure.  However, it does not provide an
example slapd.conf file that will work with a slapd master, a slurpd, and
a slapd slave.  Would someone provide a simple, working example?

BTW, I'm very fimilar with replication in general, I currently use 1.2.11
binding and replicating over ssh -- I want to get rid of my ssh tunnels.

TIA

Leo Edmiston-Cyr