[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL-ceritificate & Replication v2.1.3

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Will Day

This has been discussed numerous times on this mailing list already. Will's
answer is basically correct, and the keywords are all documented in
slapd.conf(5) and ldap.conf(5). Please read the note about the TLS_CACERTDIR
option in ldap.conf(5) before deciding to use it. (The same applies to the
TLSCACertificatePath option in slapd.conf(5).)

Yes, the client's default behavior was changed between 2.0 and 2.1; in 2.0
the clients default to not verifying any certificates received from a server.
In 2.1 the clients default to full verification of server certs. You can
change this default if you wish, and the information is in the ldap.conf(5)
man page. However, relaxing the client's security checks is generally a bad

Remember that slurpd is not an LDAP server; it does not accept LDAP queries
from LDAP clients. It is  an LDAP client itself, and it gets its TLS settings
from ldap.conf, like every other LDAP client. It only reads replica
directives out of slapd.conf, nothing more.

> A short time ago, at a computer terminal not so far away, Harry
> Rüter wrote:
> >Replication with 2.1.3.
> >
> >I always get the same error with slurpd :
> >
> >---snipp---
> >TLS certificate verification: Error, self signed certificate in
> >certificate chain
> >TLS trace: SSL3 alert write:fatal:unknown CA
> >---snipp---
> >
> >So, i see what's the problem, slurpd doesn't like
> >selfsigned certificates.
> >---schnipp---
> >TLSCertificateFile      /etc/certificates/486dx66.crt
> >TLSCertificateKeyFile   /etc/certificates/486dx66.key
> >TLSCACertificateFile    /etc/certificates/CA.crt
> >---schnipp---
> We ran into something similar recently upgrading from 2.0.x to 2.1.3.
> Our master and replica each have an SSL cert signed by a local CA.  For
> slurpd to be able to connect via SSL to the replica, it needs to know that
> it can trust the CA that signed the replica's server cert.
> We have this specified in slapd.conf, but it looks like slurpd doesn't read
> this info from slapd.conf.  Instead, we had to specify this in ldap.conf on
> our master server, ie:
>    TLS_CACERTDIR   /usr/local/ssl/certs
> You can also specify just the filename for the CA cert with "TLS_CACERT".
> We didn't have this in ldap.conf when using 2.0.x, and replication seemed
> to work, so I'm guessing this is something that changed with 2.1.x.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support