[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Secure replication
--On Saturday, May 06, 2017 1:56 AM +0000 "Real, Elizabeth (392K)"
<Elizabeth.Real@jpl.nasa.gov> wrote:
The olcSyncRepl directive on both systems needs to go from:
olcSyncRepl: rid=001 provider=ldap
to:
olcSyncRepl: rid=001 provider=ldaps
The use of "ldap://"; does not mean that you have insecure replication. The
"ldaps" designation was developed to allow for SSL encrypted connections as
a part of LDAPv2, which did not have a formal design spec for allowing SSL
encryption. The LDAPv3 spec, which is what OpenLDAP 2.4 (and much earlier
version) implement, specifically has startTLS as a part of that
specification, which uses "ldap:///";. I.e., ldaps is a bastardized hack
for LDAPv2. The proper way to do TLS encryption with LDAPv3 capable
servers such as OpenLDAP 2.[1-4+] is to use the startTLS extended operation
over a "ldap:///"; URI.
In addition, there are other ways to have an encrypted connection between
an LDAP client and server without involving TLS at all, such as SASL/GSSAPI.
As Michael noted, you can, in addition to enabling TLS encryption between
the client and servers, use client cert authentication (SASL/EXTERNAL) so
as to remove the requirement for clear text credentials to be stored in the
olcSyncRepl attribute (if using simple binds). And again, the usage of
SASL/GSSAPI also precludes the neccessity of storing cleartext credentials
in the olcSyncRepl attribute.
As an aside, I would note that 2.4.40 is completely unsafe to use with
multimaster replication.
I would generally suggest forming a clear set of requirements for your
replication environment, and then asking how to implement them. Your
current question is too vague/general to really be answered well.
Hope that helps!
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>