[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl with x509 certificates


Alex Samad <alex@samad.com.au> writes:

> On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
>> Howard Chu <hyc@symas.com> wrote:
>> > > a) a way to specify another certificate to use in the syncrepl config
>> > In OpenLDAP 2.4, yes. Read the manpage.
>> With 2.3, if a different cn is needed for the ldaps server and the
>> syncrepl client, a certificate with subjectAltName may help.
> its not the name.
> There seems to be 2 scenario's that a cert is used, 
> 1) as a server to verify that you have connected to the right machine and to 
> ensure you packets are encrypted.  This requires a certificate with purpose SSL 
> Server
> 2) as a client when a ldap server in a syncrepl setup is talking to the master 
> server. This requires a certificate with purpose SSL Client.
> I am trying to find out if it is possible to use a different certificate for 
> the syncrepl process, but I can't find it. Maybe its in saslmech option.

You may use the sasl external mechanism and create a certificate with
a DN matching the bindDN (although you don't have to define a binddn).


Dieter Klünter | Systemberatung