[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Replication +TLS +Self-signed certificate.

k bah wrote:

I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two
different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master
and the last the ldap slave. Configuration on both master and slave slapd.conf

TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt

That sounds like a correct configuration.

Now I changed the certificates, both the Master and Slave machines use self
signed certificates, I changed the certificates/tls config on several
services that used it, they work fine, but LDAP replication stopped

That is a bad configuration. The old saying applies - "if it ain't broke, don't fix it." Your original config was fine...

If you're replacing certs because they expired or some other reason, just duplicate the structure you had originally. Create one self-signed CA cert, then create your server certs and use your CA cert to sign all the other certs. Then distribute your CA cert to all the client machines as usual.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/