[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Howard Chu <hyc@symas.com>
Subject: Re: Syncrepl SSL fail
From: Hugo Deprez <hugo.deprez@gmail.com>
Date: Sun, 16 Oct 2011 11:30:21 +0200
Cc: Josh Miller <joshua@itsecureadmin.com>, Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Vj7QpAGntJ9FMmLUBr9VHDAbUzmUmbfUCyIc7LXRpl8=; b=aoTEQtoxRRTn5s3ggH9j063PSC6RD2OkNP8C5BUeWGrI9d9LGrQsL13Vaa+XDWeFZl nx4KvHhDarmwRlxdyNcDWwsuj5veRfLkOIyzzmXGObz1wjBctvMpcW/qzbhRWkZICcui U4ZrRbOlT4heqWzN6K7HfejNgJJI6i40g9LXA=
In-reply-to: <4E9A8CEC.7020403@symas.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com>

Hello,

It seems that the proper configuration for my case is :

syncrepl       rid=003
               provider=ldaps://ldap.mydomain.fr:1024/
               type=refreshOnly
               retry="60 10 600 +"
               interval=00:00:00:10
               searchbase="dc=mydomain,dc=fr"
               scope=sub
               schemachecking=on
               bindmethod=simple
               tls_reqcert=never
               binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
               credentials=my_password

It works, but I am confuse with those parameters. If I understand
well, I will never use TLS here, but only ssl ?
Hence, it was a TLS issue ?

Thanks for you help.

Regards,

Hugo


On 16 October 2011 09:51, Howard Chu <hyc@symas.com> wrote:
> Quanah Gibson-Mount wrote:
>>
>>
>> --On October 13, 2011 10:43:55 AM -0700 Josh Miller
>> <joshua@itsecureadmin.com>  wrote:
>>
>>>
>>> On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
>>>>
>>>> I don't see any of the tls_* options to the syncrepl configuration here.
>>>> Likely the syncrepl client is unable to verify the master's cert.  I
>>>> would note that using refreshOnly is ill-advised.
>>>
>>> Hi Quanah,
>>>
>>> Why is RefreshOnly ill-advised?  That is the recommendation in the docs
>>> (very timely as I just set this up again myself).
>>>
>>> re:  http://www.openldap.org/doc/admin24/replication.html
>>
>> The admin guide has examples, not recommendations.  In any case, I fully
>> intend to change those examples to be refreshAndPersist so people stop
>> defaulting to refreshOnly.  It is not always reliable, and your
>> significantly delay your replication by using it.
>
> Of course, it may be the only thing that works reliably if you have a
> firewall that silently kills old connections.
>
> The examples should stand as-is. We cannot predict what environment it's
> going to be deployed in. It's up to administrators to use their brains and
> know these details of their network.
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>
>

Follow-Ups:
- Re: Syncrepl SSL fail
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

References:
- Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Josh Miller <joshua@itsecureadmin.com>
- Re: Syncrepl SSL fail
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Syncrepl SSL fail
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Adding new Indexes while the directory is running
Next by Date: Re: password-policy configuration problems: cannot change passwords
Index(es):
- Chronological
- Thread