[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl can't start ssl session because of refused 'client' certificate

--On Monday, July 11, 2011 6:44 PM +0200 Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:

Le 11/07/2011 18:29, Rich Megginson a Ãcrit :
I think what is happening is that the syncrepl crypto context is
"inheriting" from the main server crypto context.
Yes, this looks like this.

  You want it to "inherit" the CA certificate from the main crypto
context but not the server certificate.

Not necessarily. When linked to openssl, openldap used to use the
/etc/openldap/ldap.conf file to read the client-side SSL configuration.

  Please open an ITS for this.  I'll have to figure out how this was
working in openssl.
Done: ITS#6994

Actually syncrepl has its own configuration now for SSL/TLS.

olcSyncrepl: rid=<replica ID> provider=ldap[s]://<hostname>[:port]
	      searchbase=<base	  DN>	  [type=refreshOnly|refreshAndPersist]
	      [interval=dd:hh:mm:ss]	[retry=[<retry	  interval>    <#   of
	      retries>]+]  [filter=<filter  str>]  [scope=sub|one|base|subord]
	      [attrs=<attr    list>]	[exattrs=<attr	  list>]   [attrsonly]
	      [sizelimit=<limit>] [timelimit=<limit>]  [schemachecking=on|off]
	      [network-timeout=<seconds>]		   [timeout=<seconds>]
	      [bindmethod=simple|sasl]	   [binddn=<dn>]     [saslmech=<mech>]
	      [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
	      [realm=<realm>]			       [secprops=<properties>]
	      [keepalive=<idle>:<probes>:<interval>]   [starttls=yes|critical]
	      [tls_cert=<file>]      [tls_key=<file>]	   [tls_cacert=<file>]
	      [tls_cacertdir=<path>]	  [tls_reqcert=never|allow|try|demand]
	      [tls_ciphersuite=<ciphers>]	  [tls_crlcheck=none|peer|all]
	      [suffixmassage=<real DN>] [logbase=<base DN>] [logfilter=<filter
	      str>] [syncdata=default|accesslog|changelog]

Note the tls_cacertdir, etc., options.



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration