[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slurpd and tls replication

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Sarah Hollings

> Thanks for your assist - the problem *was* StartTLS vs SSL. I have now
> got replication working with StartTLS with the slave listening on 389,
> and confirmed that it does negotiate an encrypted connection.

> Is it not possible to implement secure replication over normal SSL on
> port 636?  Now I have TLS working, I don't need it, but was a bit of a
> red-herring in the hunt for a solution.

The terminology can certainly be confusing. Both SSL and TLS functionality
are provided by a single package (OpenSSL) and the protocols are nearly
identical, so I use "SSL" and "TLS" interchangeably. On the wire, TLS
identifies itself as SSL 3.1; it is definitely a minor revision of SSL 3.0
from a technical standpoint. As formal specs, SSL was the de facto (Netscape)
standard, and TLS is the de jure (IETF) standard.

The use of SSL/TLS in LDAP also has a similar dichotomy - ldaps, the practice
of using LDAP via SSL on port 636, is not a formal standard; it was the
common practice in LDAPv2 days before there was a written standard. StartTLS
is the formal standard that is part of the LDAPv3 spec.

The actual protocol (SSL vs TLS) is orthogonal to the method used to invoke
it (ldaps vs StartTLS). As such, there are 4 independent things to talk about
here - Are you using StartTLS? Are you using ldaps? Are you using SSL? Are
you using TLS? Normally if either of SSL or TLS are working, then both work,
so we can condense this into only 3 cases.

So your last statement above should be "Now I have StartTLS working, ..." (I
recall there was an ITS filed, suggesting that we change the slapd.conf
keyword from "tls" to "starttls" to make this distinction more obvious.
Probably a good idea, oh well.)

And to answer the other question - yes of course, you can do secure
replication over ldaps, but ldaps is deprecated in favor of StartTLS. If you
really want to do it, you have to configure it elsewhere, because there are
no keywords to enable it in slapd.conf. See the Administrator's Guide and the
ldap.conf(5) manpage.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support