[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slurpd and TLS/SSL

Jim Seymour wrote:
Hi All,

What OpenLDAP version number...
I got replication working on port 389.  I can talk to the replica server
on port 636 using SSL with JXplorer.  But when I try to use port 636
for replication, replication silently fails.  (The "silently" part is
especially bothersome :(.)

Both servers have self-signed certs, if that matters.

All that matters is that both servers are properly configured to recognize/accept each other's certs. However, it's usually a bad idea to use self-signed certs for servers. Any time you need to use more than one cert you should create an actual CA cert and use it to sign all the others that you'll use.
I found an item about how slurpd must use TLS on port 389, as opposed
to SSL on port 636, and went back to port 389.  Tcpdump revealed the
connection was not encrypted.

I tried "uri=https://host.example.com:389"; and that, too, failed

Well, this is Open *LDAP* after all. I don't believe anybody has enhanced slurpd to replicate using HTTP...

uri=ldaps://host.example.com should work fine if host.example.com is listening on ldaps://. You can explicitly specify the port uri=ldaps://host.example.com:636 but I usually don't bother unless someone is using a non-default port.
The "tls" options for replication are set to "yes/try," as appropriate.

I *think* that should about cover it. Suggestions?

Remember that slurpd is an LDAP client, not an LDAP server. It only extracts a few bits of info out of slapd.conf, the rest of its configuration (including TLS parameters) must be set via ldap.conf.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/