we use OpenLDAP 2.4.11 on CentOS 5 for OS user PAM authentication in Xen-based HA cluster of 2 nodes. We are using MirrorMode replication so that databases are synchronised if change occurs on any node and there is no issue if one node goes down - each node maintains its own database. We use non-TLS local LDAP access (127.0.0.1) on Dom0 and TLS from virtual machines to LDAP.
As soon as LDAP replication is set up in non-TLS way, everything works fine. But we are trying to set up TLS also for replication to bring more security into the system. However, it seems like there is a principial issue here - one cannot specify client access config for local access and for remote replication at the same time. Or can we?
If we define client config to use TLS for the peer, then each local request goes to peer node. If the peer is down, the request will fail and user cannot log in into the OS. It looks like syncrepl requires client configuration to the peer.
We tried to use "start_tls" option in syncrepl section but we still fail to connect to peer node. From the replies on the list I assume, TLS options in syncrepl section are just supposed to overwrite default settings, not to specify explicit option for it.
- Is it possible to use local LDAP database locally together with TLS-enabled replication in a cluster?
- Is anybody running such or similar setup successfully?
- What would you suggest, if it is not possible?