[Date Prev][Date Next]
Re: Slurpd and TLS/SSL
Jim Seymour wrote:
What OpenLDAP version number...
I got replication working on port 389. I can talk to the replica server
on port 636 using SSL with JXplorer. But when I try to use port 636
for replication, replication silently fails. (The "silently" part is
especially bothersome :(.)
Both servers have self-signed certs, if that matters.
All that matters is that both servers are properly configured to
recognize/accept each other's certs. However, it's usually a bad idea to
use self-signed certs for servers. Any time you need to use more than
one cert you should create an actual CA cert and use it to sign all the
others that you'll use.
I found an item about how slurpd must use TLS on port 389, as opposed
to SSL on port 636, and went back to port 389. Tcpdump revealed the
connection was not encrypted.
I tried "uri=https://host.example.com:389" and that, too, failed
Well, this is Open *LDAP* after all. I don't believe anybody has
enhanced slurpd to replicate using HTTP...
uri=ldaps://host.example.com should work fine if host.example.com is
listening on ldaps://. You can explicitly specify the port
uri=ldaps://host.example.com:636 but I usually don't bother unless
someone is using a non-default port.
The "tls" options for replication are set to "yes/try," as appropriate.
I *think* that should about cover it. Suggestions?
Remember that slurpd is an LDAP client, not an LDAP server. It only
extracts a few bits of info out of slapd.conf, the rest of its
configuration (including TLS parameters) must be set via ldap.conf.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/