[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl with x509 certificates

On Mon, Jan 21, 2008 at 04:53:15PM -0700, Philip Guenther wrote:
> On Mon, 21 Jan 2008, Alex Samad wrote:
>>> Howard Chu <hyc@symas.com> wrote:
>>>>> a) a way to specify another certificate to use in the syncrepl config
>>>> In OpenLDAP 2.4, yes. Read the manpage.
> ...
>> There seems to be 2 scenario's that a cert is used,
>> 1) as a server to verify that you have connected to the right machine and 
>> to ensure you packets are encrypted.  This requires a certificate with 
>> purpose SSL Server
>> 2) as a client when a ldap server in a syncrepl setup is talking to the 
>> master server. This requires a certificate with purpose SSL Client.
> Correct.
>> I am trying to find out if it is possible to use a different certificate 
>> for the syncrepl process, but I can't find it.
> To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP 
> version 2.4.  If you're running 2.3 or earlier than it is not possible, 
Yep I missed the reliance on 2.4
> period.  Since the manpage you quoted in another message did not show the 
> required suboptions, you apparently aren't running 2.4.  Your choices now 
> are to either:
> A) upgrade to 2.4 and use the new suboptions, or
trying to track down a .deb 2.4
> B) continue to use the same cert for the two 'scenarios' you gave above.
doing that in the interim
>> Maybe its in saslmech option.
> The saslmech suboption has no effect on the cert used.  (Why would it? SASL 
> is logically at the layer above SSL.)
I asked because I wasn't sure, nothing else seemed obvious
> Philip Guenther

Mulder: Either we're dealing with a psychotic religious fanatic
	who's hell bent on exposing these kinds of frauds, or a
	less pragmatic psycho who harbours a murderous 
	resentment towards the church, or maybe it's just a...
	uh... very disgruntled altar boy.

	"The X-Files: Revelations"

Attachment: signature.asc
Description: Digital signature