[Date Prev][Date Next]
Re: Single-master replication over TLS fails in 2.4.15
Brian A. Seklecki wrote:
On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:
In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any?
That's already explicitly stated in the slapd.conf(5) manpage.
I have no idea, it works for me.
If so, I'm confused as to why it
failed for me originally.
Try issuing two certs for your replica. One for the "server"
services, one for the "client" service.
Sign them both by the same Root CA, or two different intermediary CAs
(which you can daisy chain), but differentiate them with Netscape
Certificate Use extensions for your own reference
You're assuming he even has a CA cert. From the looks of it, he's using a
single self-signed cert for everything. The Admin Guide already tells you to
use a CA cert and separate server and client certs, but some people just don't
seem to bother reading or following docs. All the documentation in the world
is useless if nobody pays any attention.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/