[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL-ceritificate & Replication v2.1.3

A short time ago, at a computer terminal far, far away, Howard Chu wrote:
>Yes, the client's default behavior was changed between 2.0 and 2.1; in 2.0
>the clients default to not verifying any certificates received from a server.
>In 2.1 the clients default to full verification of server certs. You can
>change this default if you wish, and the information is in the ldap.conf(5)
>man page. However, relaxing the client's security checks is generally a bad
>Remember that slurpd is not an LDAP server; it does not accept LDAP queries
>from LDAP clients. It is  an LDAP client itself, and it gets its TLS settings
>from ldap.conf, like every other LDAP client. It only reads replica
>directives out of slapd.conf, nothing more.

It might be useful to have slurpd(8) include a reference to ldap.conf(5),
to reinforce that point.  Yes, I was guilty of thinking of slurpd as a
"daemon" alongside slapd, and expecting them to share the slapd.conf file,
and missing the point that slurpd is actually acting as an LDAP client.

Something else that I've been missing, or haven't found, is a description
of the important changes between 2.1 and 2.0.  The CHANGES file in 2.1
seems to cover only 2.1 itself.  The ANNOUNCEMENT file lists improvements,
but includes no specific details on how those might affect trying to
upgrade from 2.0.  In particular, I'm thinking about things like the above
change in cert verification behavior, as well as the change in SASL DN
format.  For each of these, we eventually found the solution by debugging
and/or searching the mailing list, but it would have been really nice to
have known about the changes and been prepared ahead of time, rather than
trying to figure them out during the actual upgrade.

For instance, something along the lines of the "Incompatible changes"
sections that are described in each Postfix release, or the "Upgrading From
Previous Versions" sections in Cyrus Imapd docs, would be good.

Will Day                  Those who would give up essential Liberty, to 
@rom.oit.gatech.edu       purchase a little temporary Safety, deserve neither 
O&E / Tech Support        Liberty nor Safety.
UNIX System Programmer      - Benjamin Franklin, Penn. Assembly, Nov. 11, 1755
  -> Opinions expressed are mine alone and do not reflect OIT policy <-

Attachment: pgpJIUMkiic6a.pgp
Description: PGP signature