Re: Setting up primary/secondary LDAP servers with TLS/SSL enabled

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday, 26 November 2010 11:26:46 Konstantin Boyandin wrote:
> Hello,
> 
> I am using primary/secondary LDAP servers configuration, it works quite
> normal.
> 
> I need to make LDAP authentication secure. I.e., I need both LDAP
> servers to provide LDAP over SSL/TLS, so that both primary and secondary
> LDAP server be used (mentioned in ldap.conf).
> 
> I have to use self-signed SSL certificates,

No, you don't have to use self-signed SSL certificates, you could use a single 
self-signed CA certificate, and sign your LDAP servers' SSL certificates with 
this single self-signed CA certificate.

> since the servers are
> located in intranet, they have no 'real' domain names.

There is no reason servers in an intranet can't have "real" domain names.

> The problem is I can't figure out how to specify ldap.conf SSL
> parameters so that they could
> - verify LDAP server certificate
> - be used with both primary and secondary LDAP servers

Your options are:
-1 self-signed certificate with subjectAltName extensions allowing both 
hostnames and/or IP addresses etc. (however, some proprietary LDAP libraries 
don't support that well, e.g. on Solaris).

> Also, I'd prefer to use TLS - how do I run slapd so that it provided
> TLS-aware connection on the standard port?

TLS on standard port is start_tls.

> Is it possible to set up
> slapd so that TLS be optional (for testing/transition purposes).

If you have certificates defined in your slapd configuration (e.g. 
TLSCertificateFile, TLSCertificateKeyFile), this should work without any 
further configuration on the server side.

If you want to require TLS later, see the 'security' options for slapd.conf

Regards,
Buchan