[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP Replication +TLS +Self-signed certificate.

To: openldap-software@openldap.org
Subject: LDAP Replication +TLS +Self-signed certificate.
From: "k bah" <kbah@linuxmail.org>
Date: Fri, 15 Aug 2008 04:16:23 +0800
Content-disposition: inline

 Hi,

 I have LDAP replication setup (slurpd), works fine. Until a while ago I had a CA certificate, and with that one I signed other two certificates, for two different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master and the last the ldap slave. Configuration on both master and slave slapd.conf had:
 
TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt

 Now I changed the certificates, both the Master and Slave machines use self signed certificates, I changed the certificates/tls config on several services that used it, they work fine, but LDAP replication stopped working.

1)  To be clear (in order to have LDAP replication working with self signed certs + TLS on):

 Master machine slapd.conf:

TLSCertificateFile /etc/openldap/master-machine-certificate.crt
TLSCertificateKeyFile /etc/openldap/master-machine-key.key
TLSCACertificateFile /etc/openldap/master-machine-certificate.crt

 Master machine ldap.conf:

 TLS_REQCERT allow
 TLS_CACERT       /etc/openldap/master-machine-certificate.crt (DOES IT MATTER IF THIS MACHINE ONLY ACTS AS SERVER?)


 Slave machine slapd.conf:

TLSCertificateFile /etc/openldap/slave-machine-certificate.crt
TLSCertificateKeyFile /etc/openldap/slave-machine-key.key
TLSCACertificateFile /etc/openldap/slave-machine-certificate.crt (as this option on slapd.conf is for the -server- part of the slave, right?)

 Slave machine ldap.conf:

 TLS_REQCERT allow
 TLS_CACERT ?????


2) Second question, on other machines that run LDAP clients, I should put what in ldap.conf (/etc/openldap/ldap.conf) for the TLS_CACERT option? Leave it blank, use the ldap master machine certificate or, if that machine queries the slave ldap machine, the slave ldap machine certificate for the ldap.conf TLS_CACERT option?



 thanks a lot!


=
Search for products and services at: 
http://search.mail.com

-- 
Powered by Outblaze

Follow-Ups:
- Re: LDAP Replication +TLS +Self-signed certificate.
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ppolicy password lockout
Next by Date: Re: Building OpenLDAP for Windows
Index(es):
- Chronological
- Thread