[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl with tls (documentation addition request)


i have a pair (one master one slave) that are configured and working fine, syncrepl is setup between the master and slave, but the updates are transmitted in plain text(no tls). as soon as i enable tls, i recieve the following error on the master:

TLS certificate verification: Error, unsupported certificate purpose

now, i think i know what the issue is. when i generated the slave's server certificate for tls, i set the "NSCertType = server" variable because thats what is is ;) it appears that the slave is supplying the slave server's certificate as a client certificate to the master openldap box. what i had to do on the server was to comment out "TLSVerifyClient allow". after that, syncrepl over ssl(ldaps://) worked just fine. of course, if i don't set "TLSVerifyClient", i cannot utilize any client side certificate checking;)

is the the intended behavior, or an oversight on my part? i didn't see anywhere in the docs that the NSCertType variable should not be set on a server certificate.

is there a way to specify different client certificates in slapd.conf than the servers tls certificates for the purpose of syncrepl?

best regards,