[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap slave master relationship

Omar Al-Tabari wrote:

both the provider and the consumer work fine independently, they both use TLS and have clients configured to use them, but now one of them must become a slave to the other and use Syncrepl to take the changes that the master provides.
but since both are using different certificates i dont know how are they gona communicate with their clients, since to use TLS you must create a CA certificate with the FQDN of the server, so both have different FQDN and hence different certificates.

Wrong. As explained in http://www.openldap.org/doc/admin22/tls.html the server certificate must have a DN with the FQDN of the server, but the server certificate should be a different cert than the CA cert. A single CA cert should be used to sign all of the server certificates in a cooperating network. And for future reference, you can get plenty of help on how SSL/TLS works from the openssl-users@openssl.org mailing list. Basic questions like this about how SSL/TLS are used should be asked there, they have little to do with LDAP or OpenLDAP.

Lee Jensen wrote:

>>and the binddn "slave_reader" has the bind password in the slapd.conf, but the updatedn doesnt, so how is it gona bind and update?

I wondered this myself. I assume that because syncrepl actually runs
inside the server daemon and the updatedn is configured from within the
slapd.conf it's considered safe. So the syncrepl part of the daemon just
uses that as the dn which is making mods for internal calls to check
permissions to modify objects.

Yes. The updatedn is a rather pointless setting, it has been removed in OpenLDAP 2.3. (But it is still needed in 2.2.)

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support