[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl with tls (documentation addition request)

Terry L. Inzauro wrote:

is there a way to specify different client certificates in slapd.conf than the servers tls certificates for the purpose of syncrepl?

This is a bit of a mess in OpenLDAP up to 2.3. It's being fixed in 2.4.

In 2.3, the settings in /etc/openldap/ldap.conf (along with ~/.ldaprc etc...) are read in first, and then any TLS settings in the slapd config are processed last. The slapd code then creates a dedicated TLS context for itself, separate from the default TLS context that libldap uses. It appears that there's a missing step here, we ought to explicitly initialize libldap's context before reading the slapd config and initializing slapd's own context, and that isn't being done. The result is that the settings in the slapd config replace whatever was set in ldap.conf and the slapd certificates are used in both contexts.

In the 2.4 release I've added config options to setup explicit TLS contexts for the syncrepl consumer, and I'm in the midst of adding these options for back-ldap as well. This will give you explicit control over the certificate configurations for everything that can use TLS in slapd.

We can probably patch 2.3 to avoid having the same slapd certificate settings used everywhere, but you'll still need to use ~/.ldaprc to configure the client cert for syncrepl until 2.4 is released.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/