[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Secure replication



--On Tuesday, May 09, 2017 2:11 AM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.gov> wrote:

Hi Elizabeth,

If "ldap://"; is secure already then I do not need to proceed further.

That says nothing about whether or not your configuration is secure. Again, if it is "ldap://"; with the startTLS LDAPv3 extension, and you've configured it be required that it succeed, then it is secure. You've not provided the information that would be necessary to make such a determination. I would again advise reading the slapd-config(5) man page for the olcSyncRepl attribute, specifically the bits on the starttls, tls_cacert/tls_cacertdir, tls_cipher_suite, and tls_protocol_min configuration parameters.

You may also want to set olcSecurity (A value of "ssf=1" requires any and all connections to the server be encrypted). Changing this value from the default requires a server restart for it to go into effect.

SSLv3
TLSv1.2

Those look like protocol versions, not cipher suites. ;)

Why is version 2.4.40 unsafe for multi-master replication? I can upgrade
at a later time I just wanted to find out how to enable ldaps between the
two servers.

You can read through the OpenLDAP Release notes here: <http://www.openldap.org/software/release/changes.html>

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>