[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slurpd and TLS/SSL
Following-up to myself...
jseymour@linxnet.com (Jim Seymour) wrote:
>
>
> Howard Chu <hyc@symas.com> wrote:
> >
> [snip]
> >
> > All that matters is that both servers are properly configured to
> > recognize/accept each other's certs. However, it's usually a bad idea to
> > use self-signed certs for servers. Any time you need to use more than
> > one cert you should create an actual CA cert and use it to sign all the
> > others that you'll use.
> [snip]
>
> All in good time. But thanks for the suggestion.
Maybe sooner, rather than later. Read on...
>
> > Remember that slurpd is an LDAP client, not an LDAP server. It only
> > extracts a few bits of info out of slapd.conf, the rest of its
> > configuration (including TLS parameters) must be set via ldap.conf.
>
> Got here O'Reilly's "LDAP System Administration" (now rather
> out-of-date, but still useful) and the OpenLDAP.org admin guide.
> Neither mentions anything about ldap.conf in relation of replication.
[snip]
So I did a "man ldap.conf" and started experimenting with TLS_REQCERT.
Values of "never" and "allow" resulted in TLS working. A value of
"try" did not. I'm certain "demand" or "hard" would likewise fail.
NB: One must remember to restart slurpd after each change ;).
So, I've some more homework to do. (I'm inclined to wonder how many
admins *think* they've got encrypted connections between slurpd and
remote slapd's, and really don't? How many admins go to the trouble
of doing a tcpdump/snoop/ethereal/whatever to see what's actually
happening?)
I need to look into forcing encryption. (No, don't tell me. I know
I've read it somewhere. I'll find it again. ;).)
Thanks for the feedback, guys.
Jim