[Date Prev][Date Next]
Re: syncrepl with x509 certificates
Alex Samad <email@example.com> writes:
> On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
>> Howard Chu <firstname.lastname@example.org> wrote:
>> > > a) a way to specify another certificate to use in the syncrepl config
>> > In OpenLDAP 2.4, yes. Read the manpage.
>> With 2.3, if a different cn is needed for the ldaps server and the
>> syncrepl client, a certificate with subjectAltName may help.
> its not the name.
> There seems to be 2 scenario's that a cert is used,
> 1) as a server to verify that you have connected to the right machine and to
> ensure you packets are encrypted. This requires a certificate with purpose SSL
> 2) as a client when a ldap server in a syncrepl setup is talking to the master
> server. This requires a certificate with purpose SSL Client.
> I am trying to find out if it is possible to use a different certificate for
> the syncrepl process, but I can't find it. Maybe its in saslmech option.
You may use the sasl external mechanism and create a certificate with
a DN matching the bindDN (although you don't have to define a binddn).
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6