[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Single-master replication over TLS fails in 2.4.15

We have an internal certificate authority which issues certificates to
us.  The authority provides certificates as a single file containing the
certificate, the CA certificate (or chain) and the private key.  We
have no control over this, but I have forwarded the concern over the
single file approach that Howard brought up previously to my CA team. 

Based on the input to this chain, we will start using separate
certificates for the server and client.  

I do spend a fair amount of time in the OpenLDAP documentation,
especially prior to resorting to the mailing list.  This time around, I
didn't see the answers I needed in the Admin Guide.  I'll go back and
look again.  If it's still not clear I'd be happy to help out with the

Thanks everyone,


-----Original Message-----
From: openldap-software-bounces+worganc=nortel.com@openldap.org
[mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On
Behalf Of Howard Chu
Sent: Friday, February 27, 2009 6:06 PM
To: Brian A. Seklecki
Cc: Worgan, Craig (BVW:9T16); openldap-software@openldap.org
Subject: Re: Single-master replication over TLS fails in 2.4.15

Brian A. Seklecki wrote:
> On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:
>>> In 2.4, if you configure syncrepl over TLS and omit the new options,

>>> does OpenLDAP use the values that are configured for the server 
>>> certificate settings (TLS*), if any?
>> That's already explicitly stated in the slapd.conf(5) manpage.
>>> If so, I'm confused as to why it
>>> failed for me originally.
>> I have no idea, it works for me.
> Meh!
> Craig:
>    Try issuing two certs for your replica.  One for the "server"
>    services, one for the "client" service.
>    Sign them both by the same Root CA, or two different intermediary
>    (which you can daisy chain), but differentiate them with Netscape
>    Certificate Use extensions for your own reference

You're assuming he even has a CA cert. From the looks of it, he's using
a single self-signed cert for everything. The Admin Guide already tells
you to use a CA cert and separate server and client certs, but some
people just don't seem to bother reading or following docs. All the
documentation in the world is useless if nobody pays any attention.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/