[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Replication +TLS +Self-signed certificate.

> ----- Original Message -----
> From: "Howard Chu" <hyc@symas.com>
> To: "k bah" <kbah@linuxmail.org>
> Subject: Re: LDAP Replication +TLS +Self-signed certificate.
> Date: Fri, 15 Aug 2008 03:34:19 -0700
> k bah wrote:
> >   Hi,
> >
> > I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
> CA certificate, and with that one I signed other two certificates, for two
> different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master
> and the last the ldap slave. Configuration on both master and slave slapd.conf
> had:
> > TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
> > TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
> > TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
> That sounds like a correct configuration.
> > Now I changed the certificates, both the Master and Slave machines use self
> > signed certificates, I changed the certificates/tls config on several
> > services that used it, they work fine, but LDAP replication stopped
> > working.
> That is a bad configuration. The old saying applies - "if it ain't 
> broke, don't fix it." Your original config was fine...

 I tried this (and I guess it makes sense):

 LDAP Master slapd.conf:

TLSCertificateFile /etc/openldap/ldap-master-cert.crt  (self-signed certificate)
TLSCertificateKeyFile /etc/openldap/ldap-master-key.key
TLSCACertificateFile /etc/openldap/ldap-master-cert.crt

 LDAP Slave slapd.conf:

TLSCertificateFile /etc/openldap/ldap-slave-cert.crt  (self-signed certificate)
TLSCertificateKeyFile /etc/openldap/ldap-slave-key.key
TLSCACertificateFile /etc/openldap/ldap-slave-cert.crt

 LDAP Master ldap.conf:

TLS_CACERT              /etc/openldap/ldap-slave-cert.crt (Since when replicating, the master server acts as a client to the ldap slave server, right?)
 Quoting the slurpd man page: "Note that slurpd reads replication directive from slapd.conf(5), but uses ldap.conf(5) to obtain other configuration settings (such as TLS settings)."

 LDAP Slave ldap.conf:

TLS_CACERT              /etc/openldap/ldap-master-cert.crt (I can't figure out now why, does the LDAP slave server act as a client to the ldap master server? When?)

> If you're replacing certs because they expired or some other 
> reason, just duplicate the structure you had originally. Create one 
> self-signed CA cert, then create your server certs and use your CA 
> cert to sign all the other certs. Then distribute your CA cert to 
> all the client machines as usual.

Don't Just See Alaska, Experience It
Active, Informative, Fun! Alaska Adventure Tours. Live Large.

Powered by Outblaze