[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication and tls



On Sat, 13 May 2006 22:53:21 -0300
"Francisco Saito" <fksaito@gmail.com> wrote:

> Add a clausule:
> tls=critical  after bindmethod=simple credentials=secret

It seems to refuse the SSLv3 cert. All I need is a root-cert on both
machines (for the the master in ldap.conf) and a cert/key-pair signed by
that root-cert on the slave? Or have I missed something somewhere?

R.



> On 5/13/06, richard lucassen <mailinglists@lucassen.org> wrote:
> >
> > Hello list,
> >
> > Using version 2.2.23 (Debian Sarge) with slurpd-replication, I see
> > that the certificates are exchanged and replication works, but the
> > replicator's username/pass is passing cleartext over the line.
> >
> > -- master slapd.conf:
> > replica uri=ldap://ldapslave.example.com starttls=yes
> >         binddn=cn=replicator,dc=example,dc=com
> >         bindmethod=simple credentials=secret
> >
> > -- master ldap.conf:
> > TLS_CACERT /etc/ldap/cacert.crt
> >
> >
> > -- slave slapd.conf
> > TLSCACertificateFile /etc/ldap/cacert.crt
> > TLSCertificateFile /etc/ldap/ldapslave.example.com-cert.pem
> > TLSCertificateKeyFile /etc/ldap/ldapslave.example.com-key.pem
> >
> > When connecting to the servers (master and slave) with gq, tls is
> > working. Anyone a hint?
> >
> > Richard.
> >
> > --
> > ___________________________________________________________________
> > It is better to remain silent and be thought a fool, than to speak
> > aloud and remove all doubt.
> >
> > +------------------------------------------------------------------+
> > | Richard Lucassen, Utrecht                                        |
> > | Public key and email address:                                    |
> > | http://www.lucassen.org/mail-pubkey.html                         |
> > +------------------------------------------------------------------+
> >
> 
> 


-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+