[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Replication +TLS +Self-signed certificate.

On Friday 15 August 2008 18:31:31 k bah wrote:
> > ----- Original Message -----
> > From: "Howard Chu" <hyc@symas.com>
> > To: "k bah" <kbah@linuxmail.org>
> > Subject: Re: LDAP Replication +TLS +Self-signed certificate.
> > Date: Fri, 15 Aug 2008 03:34:19 -0700
> >
> > k bah wrote:
> > >   Hi,
> > >
> > > I have LDAP replication setup (slurpd), works fine. Until a while ago I
> > > had a
> >
> > CA certificate, and with that one I signed other two certificates, for
> > two different hosts. So I had 3 "hosts", one is the CA, another one is
> > LDAP Master and the last the ldap slave. Configuration on both master and
> > slave slapd.conf
> >
> > had:
> > > TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
> > > TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
> > > TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
> >
> > That sounds like a correct configuration.
> >
> > > Now I changed the certificates, both the Master and Slave machines use
> > > self signed certificates, I changed the certificates/tls config on
> > > several services that used it, they work fine, but LDAP replication
> > > stopped working.
> >
> > That is a bad configuration. The old saying applies - "if it ain't
> > broke, don't fix it." Your original config was fine...
>
>  I tried this (and I guess it makes sense):

No, what you have below makes no sense. Why are you returning to an all-self-
signed setup?

>  LDAP Master slapd.conf:
>
> TLSCertificateFile /etc/openldap/ldap-master-cert.crt  (self-signed
> certificate) TLSCertificateKeyFile /etc/openldap/ldap-master-key.key
> TLSCACertificateFile /etc/openldap/ldap-master-cert.crt
>
>  LDAP Slave slapd.conf:
>
> TLSCertificateFile /etc/openldap/ldap-slave-cert.crt  (self-signed
> certificate) TLSCertificateKeyFile /etc/openldap/ldap-slave-key.key
> TLSCACertificateFile /etc/openldap/ldap-slave-cert.crt
>
>  LDAP Master ldap.conf:
>
> TLS_CACERT              /etc/openldap/ldap-slave-cert.crt (Since when
> replicating, the master server acts as a client to the ldap slave server,
> right?) Quoting the slurpd man page: "Note that slurpd reads replication
> directive from slapd.conf(5), but uses ldap.conf(5) to obtain other
> configuration settings (such as TLS settings)."

Why are you using slurpd ?

>
>  LDAP Slave ldap.conf:
>
> TLS_CACERT              /etc/openldap/ldap-master-cert.crt (I can't figure
> out now why, does the LDAP slave server act as a client to the ldap master
> server? When?)

If you use any feature that requires the slave to connect to the master, 
including sync-repl replication, the chain overlay, or (possibly) the ldap or 
meta backends, this would depend entirely on your configuration, of which you 
have supplied relatively little.

> > If you're replacing certs because they expired or some other
> > reason, just duplicate the structure you had originally. Create one
> > self-signed CA cert, then create your server certs and use your CA
> > cert to sign all the other certs. Then distribute your CA cert to
> > all the client machines as usual.

Note that the "CA certificate" that you configure in the OpenLDAP ldap.conf 
file needs to be sufficient to validate the certificate of any of the LDAP 
servers you will connect to with SSL or START_TLS and certificate validation. 
If you are using self-signed certificates, you should then concatenate the 
certificates for all your LDAP servers on all your LDAP clients (and update 
all the clients whenever any of the certificates is renewed or changed). This 
is quite tedious once you have a significant number of servers and clients, 
which is why a CA certificate is used in any situation with more than a few 
servers ...

Regards,
Buchan