Re: Secure replication

[Quanah Gibson-Mount <quanah@symas.com>]

--On Tuesday, May 09, 2017 2:11 AM +0000 "Real, Elizabeth (392K)" 
<Elizabeth.Real@jpl.nasa.gov> wrote:

Hi Elizabeth,

> If "ldap://"; is secure already then I do not need to proceed further.

That says nothing about whether or not your configuration is secure. 
Again, if it is "ldap://"; with the startTLS LDAPv3 extension, and you've 
configured it be required that it succeed, then it is secure.  You've not 
provided the information that would be necessary to make such a 
determination.  I would again advise reading the slapd-config(5) man page 
for the olcSyncRepl attribute, specifically the bits on the starttls, 
tls_cacert/tls_cacertdir, tls_cipher_suite, and tls_protocol_min 
configuration parameters.

You may also want to set olcSecurity (A value of "ssf=1" requires any and 
all connections to the server be encrypted).  Changing this value from the 
default requires a server restart for it to go into effect.

> SSLv3
> TLSv1.2

Those look like protocol versions, not cipher suites. ;)

> Why is version 2.4.40 unsafe for multi-master replication? I can upgrade
> at a later time I just wanted to find out how to enable ldaps between the
> two servers.

You can read through the OpenLDAP Release notes here: 
<http://www.openldap.org/software/release/changes.html>

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>