[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls

Andrew Findlay wrote:

On Fri, Nov 14, 2003 at 12:56:08PM +0300, Mark wrote:



If you want to *require* encryption you need to add security strength
factors to slapd.conf - see the 'security' section of the slapd.conf
manpage.




Thanks , its worked.

I insert this string in slapd.conf
security tls=112
its true?
Now all traffic between client host and slapd server encrypted ?



It should be, but it would be a good idea to check. A simple test is
to use ldapsearch with the '-ZZ' flag. If you want to check that other
clients are using encryption, either turn up the log level on slapd or
use a network snooper like tcpdump to inspect the traffic.

Don't forget that the client programs will need to know about the
server certificate (or preferably the CA certificate that signed it).
This usually means copying the PEM-format certificate file to the
client machine and appending it to a known-certs file. If your client
programs use OpenSSL the command will be something like this:

openssl x509 -in master.cert -text >> /usr/share/ssl/certs/ca-bundle.crt

(The location of the bundle file may vary depending on how OpenSSL was
installed)

Andrew


I checked , this working.

Next question about replication between 2 servers, with tls .
My CA in the same comp-r where master server located.
I signed slave host in CA.
I put key cacert and cert files in slave host.
And when I make attempt change anything on master,
slurpd not connect to slave .

If CA will work on slave, then slurpd on master can establish connection.
But I can't connection on third host to master over tls?
For example, I want runnig GQ anywhere and connecting to master host or slave in too time.

sorry for my english :\

--
UIN 136401725
mark@rusautogaz.ru