[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Example for replication over SSL

On Fri, 17 Aug 2001, Marian Steinbach wrote:

> Hi Leo!
> As I have the same problem (and it's not working yet...) I sum up how I 
> think it should look like, and I put my questions in, too.
> The scenario you descibe is not too different from having two LDAP 
> servers where at least the slave allows for TLS connections. The master 
> should have a replica entry in the slapd.conf like
> replica host=ldapslave.my.org tls=yes bindmethod=simple 
> binddn="cn=manager, dc=my, dc=org" credentials=secret
> See manpage slapd.conf(5). Unfortunately, the manpage refers to the 
> Administrators Guide for further information. In fact, the manpage (at 
> least on my install of 2.0.11) is more complete than the Administrators 
> Guide.
> So I don't know currently what the option tls=yes versus tls=critical 
> means. If it is the same as the parameter -Z versus -ZZ for the clients, 
> then of course you'd like to set tls=critical in order to firce the 
> slurpd to connect via TLS. If anybody can give valid information on 
> this, please jump in!
> The rest depends on TLS configuration on the slave LDAP server.
> Marian
To clarify my main questions along with yours:

I realize the setup of the slave will be relatively simple.  So what I
want to especially know is what has to be compiled into my slurpd to
support TLS AND what does my slapd.conf file that that slurpd reads look
like on the line that has:

replica host=xxx

right here I want to know what is put for bindmethod, mech, authcid,
authzid, credentials

I assume I need no srvtab since I'm not using Kerberos.

Yes, I've even looked at the "sysadmin" document that is distributed with
the cyrys sasl distribution I'm using but they do not explain the
"mecahanism" well at all.



> Leo Cyr wrote:
> >I've read the "openldap 2.0 administrator's guide" and It makes reference
> >to secure replication; it even goes so far as to say it should be done no
> >other way unless the network is secure.  However, it does not provide an
> >example slapd.conf file that will work with a slapd master, a slurpd, and
> >a slapd slave.  Would someone provide a simple, working example?
> >
> >BTW, I'm very fimilar with replication in general, I currently use 1.2.11
> >binding and replicating over ssh -- I want to get rid of my ssh tunnels.
> >
> >TIA
> >
> >Leo Edmiston-Cyr
> >

Leo Edmiston-Cyr
Network Administrator, PennsWoods.net
814-624-2424 ext. 510