[Date Prev][Date Next]
Re: Slurpd and TLS/SSL
Following-up to myself...
email@example.com (Jim Seymour) wrote:
> Howard Chu <firstname.lastname@example.org> wrote:
> > All that matters is that both servers are properly configured to
> > recognize/accept each other's certs. However, it's usually a bad idea to
> > use self-signed certs for servers. Any time you need to use more than
> > one cert you should create an actual CA cert and use it to sign all the
> > others that you'll use.
> All in good time. But thanks for the suggestion.
Maybe sooner, rather than later. Read on...
> > Remember that slurpd is an LDAP client, not an LDAP server. It only
> > extracts a few bits of info out of slapd.conf, the rest of its
> > configuration (including TLS parameters) must be set via ldap.conf.
> Got here O'Reilly's "LDAP System Administration" (now rather
> out-of-date, but still useful) and the OpenLDAP.org admin guide.
> Neither mentions anything about ldap.conf in relation of replication.
So I did a "man ldap.conf" and started experimenting with TLS_REQCERT.
Values of "never" and "allow" resulted in TLS working. A value of
"try" did not. I'm certain "demand" or "hard" would likewise fail.
NB: One must remember to restart slurpd after each change ;).
So, I've some more homework to do. (I'm inclined to wonder how many
admins *think* they've got encrypted connections between slurpd and
remote slapd's, and really don't? How many admins go to the trouble
of doing a tcpdump/snoop/ethereal/whatever to see what's actually
I need to look into forcing encryption. (No, don't tell me. I know
I've read it somewhere. I'll find it again. ;).)
Thanks for the feedback, guys.