On 2013.07.31 06.36, Tony Davis wrote:
Hi, I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43. I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
you are talking about two different things. one is encryption, and one is authentication.
making some basic assumptions [e.g. that the provider is properly configured for encryption], using starttls means that communication is encrypted, regardless of how you might be authenticating or what sasl mechanism might be in use.
as far authentication goes, if you want to do certificate based authentication, first read the section in the admin guide which covers this [chapter 16. using tls]. then, use ldapsearch or friends for the exercise of set up and testing of the provider. once that is working, translate those settings to the consumer syncrepl config element.
on a related note, the tls_cert/tls_key syncrepl settings are to specify the key and cert of the client [e.g. the consumer]. not the provider. those files are what the consumer will use when authenticating to the provider via certificates.
-ben