Re: Slurpd and TLS/SSL

[Howard Chu <hyc@symas.com>]

Jim Seymour wrote:
> Hi All,
>
>   
What OpenLDAP version number...
> I got replication working on port 389.  I can talk to the replica server
> on port 636 using SSL with JXplorer.  But when I try to use port 636
> for replication, replication silently fails.  (The "silently" part is
> especially bothersome :(.)
>
> Both servers have self-signed certs, if that matters.
>   

All that matters is that both servers are properly configured to 
recognize/accept each other's certs. However, it's usually a bad idea to 
use self-signed certs for servers. Any time you need to use more than 
one cert you should create an actual CA cert and use it to sign all the 
others that you'll use.
> I found an item about how slurpd must use TLS on port 389, as opposed
> to SSL on port 636, and went back to port 389.  Tcpdump revealed the
> connection was not encrypted.
>
> I tried "uri=https://host.example.com:389"; and that, too, failed
> silently.
>   

Well, this is Open *LDAP* after all. I don't believe anybody has 
enhanced slurpd to replicate using HTTP...

uri=ldaps://host.example.com should work fine if host.example.com is 
listening on ldaps://. You can explicitly specify the port 
uri=ldaps://host.example.com:636 but I usually don't bother unless 
someone is using a non-default port.
> The "tls" options for replication are set to "yes/try," as appropriate.
>
> I *think* that should about cover it.  Suggestions?
>   

Remember that slurpd is an LDAP client, not an LDAP server. It only 
extracts a few bits of info out of slapd.conf, the rest of its 
configuration (including TLS parameters) must be set via ldap.conf.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/