[Date Prev][Date Next]
Re: ldap slave master relationship
Omar Al-Tabari wrote:
both the provider and the consumer work fine independently, they both
use TLS and have clients configured to use them, but now one of them
must become a slave to the other and use Syncrepl to take the changes
that the master provides.
but since both are using different certificates i dont know how are
they gona communicate with their clients, since to use TLS you must
create a CA certificate with the FQDN of the server, so both have
different FQDN and hence different certificates.
Wrong. As explained in http://www.openldap.org/doc/admin22/tls.html the
server certificate must have a DN with the FQDN of the server, but the
server certificate should be a different cert than the CA cert. A single
CA cert should be used to sign all of the server certificates in a
cooperating network. And for future reference, you can get plenty of
help on how SSL/TLS works from the email@example.com mailing
list. Basic questions like this about how SSL/TLS are used should be
asked there, they have little to do with LDAP or OpenLDAP.
Yes. The updatedn is a rather pointless setting, it has been removed in
OpenLDAP 2.3. (But it is still needed in 2.2.)
Lee Jensen wrote:
>>and the binddn "slave_reader" has the bind password in the
slapd.conf, but the updatedn doesnt, so how is it gona bind and update?
I wondered this myself. I assume that because syncrepl actually runs
inside the server daemon and the updatedn is configured from within the
slapd.conf it's considered safe. So the syncrepl part of the daemon just
uses that as the dn which is making mods for internal calls to check
permissions to modify objects.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support