[Date Prev][Date Next]
Re: syncrepl with tls (documentation addition request)
Terry L. Inzauro wrote:
is there a way to specify different client certificates in slapd.conf
than the servers tls certificates for the purpose of syncrepl?
This is a bit of a mess in OpenLDAP up to 2.3. It's being fixed in 2.4.
In 2.3, the settings in /etc/openldap/ldap.conf (along with ~/.ldaprc
etc...) are read in first, and then any TLS settings in the slapd config
are processed last. The slapd code then creates a dedicated TLS context
for itself, separate from the default TLS context that libldap uses. It
appears that there's a missing step here, we ought to explicitly
initialize libldap's context before reading the slapd config and
initializing slapd's own context, and that isn't being done. The result
is that the settings in the slapd config replace whatever was set in
ldap.conf and the slapd certificates are used in both contexts.
In the 2.4 release I've added config options to setup explicit TLS
contexts for the syncrepl consumer, and I'm in the midst of adding these
options for back-ldap as well. This will give you explicit control over
the certificate configurations for everything that can use TLS in slapd.
We can probably patch 2.3 to avoid having the same slapd certificate
settings used everywhere, but you'll still need to use ~/.ldaprc to
configure the client cert for syncrepl until 2.4 is released.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/