[Date Prev][Date Next]
Re: syncrepl with x509 certificates
On Mon, 21 Jan 2008, Alex Samad wrote:
Howard Chu <firstname.lastname@example.org> wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
There seems to be 2 scenario's that a cert is used,
1) as a server to verify that you have connected to the right machine
and to ensure you packets are encrypted. This requires a certificate
with purpose SSL Server
2) as a client when a ldap server in a syncrepl setup is talking to the
master server. This requires a certificate with purpose SSL Client.
I am trying to find out if it is possible to use a different certificate
for the syncrepl process, but I can't find it.
To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP
version 2.4. If you're running 2.3 or earlier than it is not possible,
period. Since the manpage you quoted in another message did not show the
required suboptions, you apparently aren't running 2.4. Your choices now
are to either:
A) upgrade to 2.4 and use the new suboptions, or
B) continue to use the same cert for the two 'scenarios' you gave above.
Maybe its in saslmech option.
The saslmech suboption has no effect on the cert used. (Why would it?
SASL is logically at the layer above SSL.)