[Date Prev][Date Next]
Re: TLS vs. MirrorMode replication
Maros Timko <email@example.com> writes:
> Hi all,
> we use OpenLDAP 2.4.11 on CentOS 5 for OS user PAM authentication in Xen-based
> HA cluster of 2 nodes. We are using MirrorMode replication so that databases
> are synchronised if change occurs on any node and there is no issue if one
> node goes down - each node maintains its own database. We use non-TLS local
> LDAP access (127.0.0.1) on Dom0 and TLS from virtual machines to LDAP.
> As soon as LDAP replication is set up in non-TLS way, everything works fine.
> But we are trying to set up TLS also for replication to bring more security
> into the system. However, it seems like there is a principial issue here - one
> cannot specify client access config for local access and for remote
> replication at the same time. Or can we?
> If we define client config to use TLS for the peer, then each local request
> goes to peer node. If the peer is down, the request will fail and user cannot
> log in into the OS. It looks like syncrepl requires client configuration to
> the peer.
> We tried to use "start_tls" option in syncrepl section but we still fail to
> connect to peer node. From the replies on the list I assume, TLS options in
> syncrepl section are just supposed to overwrite default settings, not to
> specify explicit option for it.
> - Is it possible to use local LDAP database locally together with TLS-enabled
> replication in a cluster?
> - Is anybody running such or similar setup successfully?
> - What would you suggest, if it is not possible?
In a proper designed and configured TLS session, the client has to
verfiy the host certificate DN, if the client has to switch to a
mirrored node the the certificate DN may note meet the verfication
In order to solve this, a host certificate may extended to a
subjectAltName attribute. This can be achieved by editing the [
user_cert ] section of openssl.cnf.
The entry could be something like
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6