[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS Replication that works for me (was Re: )

To: "'John Beamon'" <jbeamon@franklinamerican.com>
Subject: RE: TLS Replication that works for me (was Re: )
From: Daniel Crandall <dcrandal@tdhca.state.tx.us>
Date: Wed, 14 May 2003 10:35:15 -0500
Cc: openldap-software@OpenLDAP.org

Hi, thanks for your reply!

I've got replication working, and I have the certificates generated.  No
problems there.
The slapd.conf details are I'm sure where I'm out in the weeds.

Specifically, I didn't know about this
tls=critical		# TLS = SSL-on-request, basically

Thanks a lot for this information, I'll give it a shot right now.

Daniel Crandall
Unix/Network Administrator
Texas Department of Housing and Community Affairs.
512-305-8574
dcrandal@tdhca.state.tx.us

-----Original Message-----
From: John Beamon [mailto:jbeamon@franklinamerican.com]
Sent: Wednesday, May 14, 2003 10:15 AM
To: openldap-software@OpenLDAP.org
Subject: Re: TLS Replication that works for me (was Re: )

Daniel Crandall wrote:
> Hi,
>
> I'm having trouble figuring out how to use TLS to encrypt update
> transmissions between the master and the slaves.
>
> I do have certificates, and references to them in slapd.conf.  Beyond
> that I'm at a loss.  Help?
>
> 
>
> Daniel
>

I feel your pain.  I just learned this myself.

First, you want to get replication working without TLS.  Assuming you
might need a tiny bit of help with that, it can be done as follows.

master:/path/slapd.conf
...
replica host=replica_server.domain.com
        binddn="cn=slave,dc=domain,dc=com"
        bindmethod=simple
        credentials=password
replogfile /path/slurpd.replog # (/var/lib/ldap/replica/slurpd.replog in
Red Hat Linux)

slave:/path/slapd.conf
...
rootbinddn      "cn=slave,dc=domain,dc=com"
rootpw          password
updatedn        "cn=slave,dc=domain,dc=com"
updateref       ldap://master_server.domain.com

There are more elegant and secure ways of enabling the updatedn than
making it rootdn on the replica box, but anything other than rootdn will
involve an ACL to give that dn permission to write to everything.

Second, you need certificates.  Certs can be generated from an openssl
rpm installation by running 'make' in /usr/share/ssl and following the
instructions.  You might need an official cert request (.csr) to send to
Verisign, or you might only want a test cert.  There was a three-part
article by AEleen Frisch (author of the Armadillo Book) on setting up
LDAP in Linux Magazine, early 2002.  The page with ssl cert generation
is here:
http://www.linux-mag.com/cgi-bin/printer.pl?issue=2002-03&article=guru

Follow the SSL cert generation part exactly, and it's a piece of cake.
I've made a few other observations, though, that diverge from her
article.  Everywhere I read about it, everyone says that replication in
openldap-2.x does not work with encrypted credentials.  So... the tail
of my slapd.conf's looks like this.

master:/path/slapd.conf
...
replica host=replica_server.domain.com
        tls=critical            # TLS = SSL-on-request, basically
        binddn="cn=slave,dc=domain,dc=com"
        bindmethod=simple
        credentials=password
replogfile /path/slurpd.replog
TLSCertificateFile      /usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile   /usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite          HIGH:MEDIUM:+SSLv2

slave:/path/slapd.conf
...
rootbinddn      "cn=slave,dc=domain,dc=com"
rootpw          password
updatedn        "cn=slave,dc=domain,dc=com"
updateref       ldap://master_server.domain.com
TLSCertificateFile      /usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile   /usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite          HIGH:MEDIUM:+SSLv2

This works for me.  Your mileage may vary a little, and there are
certainly more sophisticated ways of doing it.  Anyone else is welcome
to add to this.

-j

Prev by Date: Re: How to guess the READ-ONLY mode ?
Next by Date: openldap compile
Index(es):
- Chronological
- Thread