Re: Secure replication via TLS/SSL

["Peter A. Savitch" <spam4octan@highway.ru>]

Hello James,

Wednesday, October 02, 2002, 6:19:39 PM, you wrote:

JS> Hello all,

JS> i am using openldap-2.1.3 on solaris 9 and have setup master and slave 
JS> instance to operate on high ports to be able to start it as non-root.

JS> the master log has the following directive:

JS> replica host=somemachine.columbia.edu:9050
JS>         binddn="cn=replicator,dc=myorg,dc=org"
JS>         bindmethod=simple credentials=xxxxx
JS>         tls=yes

JS> 1) if master is started with ldaps:// and slave is ldap:// the 
JS> replication works but i am still not convinced that the data is passed 
JS> securely using tls. i tried logging this communication with a high debug 
JS> level but it is still unclear if the tls=yes makes any difference.
JS> 2) if both are ldaps:// the replication does not work.

JS> i would appreciate any info on this!
JS> - James

You can disable insecure (plain-text) ldap:// scheme completely on
the slave (and master) and avoid STARTTLS completely.
Your slurpd should have according settings (TLS=hard).

Set up slave with ldaps:// on port 9051, for instance.

Set up replica something like this:

=cut
replica host=somemachine.columbia.edu:9051
         binddn="cn=replicator,dc=myorg,dc=org"
         bindmethod=simple credentials=xxxxx
=cut

Make appropriate .conf for slurpd and name it slurpd.conf:
=cut
TLS             hard
TLS_CACERT      /path/to/CA-CERT
# TLS_CERT      /path/to/client.cert
# TLS_KEY       /path/to/client.key
# TLS_REQCERT   hard
=cut

It's highly recommended to use all of the above options.

Run slurpd with special conf:

=cut
#!/bin/sh
LDAPRC=/path/to/slurpd.conf /path/to/slurpd -f /path/to/slapd.conf
=cut

Read more in the archive:

http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/200208/msg00285.html


-- 
Best regards,
 Peter                            mailto:spam4octan@highway.ru