Re: ldap slave master relationship

[Howard Chu <hyc@symas.com>]

Omar Al-Tabari wrote:

> both the provider and the consumer work fine independently, they both 
> use TLS and have clients configured to use them, but now one of them 
> must become a slave to the other and use Syncrepl to take the changes 
> that the master provides.
> but since both are using different certificates i dont know how are 
> they gona communicate with their clients, since to use TLS you must 
> create a CA certificate with the FQDN of the server, so both have 
> different FQDN and hence different certificates.

Wrong. As explained in http://www.openldap.org/doc/admin22/tls.html the 
server certificate must have a DN with the FQDN of the server, but the 
server certificate should be a different cert than the CA cert. A single 
CA cert should be used to sign all of the server certificates in a 
cooperating network. And for future reference, you can get plenty of 
help on how SSL/TLS works from the openssl-users@openssl.org mailing 
list. Basic questions like this about how SSL/TLS are used should be 
asked there, they have little to do with LDAP or OpenLDAP.

> Lee Jensen wrote:
>
> > > >>and the binddn "slave_reader" has the bind password in the 
> > > slapd.conf, but the updatedn doesnt, so how is it gona bind and update?
> >
> >
> > I wondered this myself. I assume that because syncrepl actually runs
> > inside the server daemon and the updatedn is configured from within the
> > slapd.conf it's considered safe. So the syncrepl part of the daemon just
> > uses that as the dn which is making mods for internal calls to check
> > permissions to modify objects.
Yes. The updatedn is a rather pointless setting, it has been removed in 
OpenLDAP 2.3. (But it is still needed in 2.2.)

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support