Re: LDAP Replication +TLS +Self-signed certificate.

[Howard Chu <hyc@symas.com>]

k bah wrote:
>   Hi,
>
> I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two
different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master
and the last the ldap slave. Configuration on both master and slave slapd.conf
had:

> TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
> TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
> TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt

That sounds like a correct configuration.

> Now I changed the certificates, both the Master and Slave machines use self
> signed certificates, I changed the certificates/tls config on several
> services that used it, they work fine, but LDAP replication stopped
> working.

That is a bad configuration. The old saying applies - "if it ain't broke, 
don't fix it." Your original config was fine...

If you're replacing certs because they expired or some other reason, just 
duplicate the structure you had originally. Create one self-signed CA cert, 
then create your server certs and use your CA cert to sign all the other 
certs. Then distribute your CA cert to all the client machines as usual.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/