[Date Prev][Date Next]
Re: LDAP Replication +TLS +Self-signed certificate.
> ----- Original Message -----
> From: "Howard Chu" <email@example.com>
> To: "k bah" <firstname.lastname@example.org>
> Subject: Re: LDAP Replication +TLS +Self-signed certificate.
> Date: Fri, 15 Aug 2008 03:34:19 -0700
> k bah wrote:
> > Hi,
> > I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
> CA certificate, and with that one I signed other two certificates, for two
> different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master
> and the last the ldap slave. Configuration on both master and slave slapd.conf
> > TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
> > TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
> > TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
> That sounds like a correct configuration.
> > Now I changed the certificates, both the Master and Slave machines use self
> > signed certificates, I changed the certificates/tls config on several
> > services that used it, they work fine, but LDAP replication stopped
> > working.
> That is a bad configuration. The old saying applies - "if it ain't
> broke, don't fix it." Your original config was fine...
I tried this (and I guess it makes sense):
LDAP Master slapd.conf:
TLSCertificateFile /etc/openldap/ldap-master-cert.crt (self-signed certificate)
LDAP Slave slapd.conf:
TLSCertificateFile /etc/openldap/ldap-slave-cert.crt (self-signed certificate)
LDAP Master ldap.conf:
TLS_CACERT /etc/openldap/ldap-slave-cert.crt (Since when replicating, the master server acts as a client to the ldap slave server, right?)
Quoting the slurpd man page: "Note that slurpd reads replication directive from slapd.conf(5), but uses ldap.conf(5) to obtain other configuration settings (such as TLS settings)."
LDAP Slave ldap.conf:
TLS_CACERT /etc/openldap/ldap-master-cert.crt (I can't figure out now why, does the LDAP slave server act as a client to the ldap master server? When?)
> If you're replacing certs because they expired or some other
> reason, just duplicate the structure you had originally. Create one
> self-signed CA cert, then create your server certs and use your CA
> cert to sign all the other certs. Then distribute your CA cert to
> all the client machines as usual.
Don't Just See Alaska, Experience It
Active, Informative, Fun! Alaska Adventure Tours. Live Large.
Powered by Outblaze