[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Secure replication
--On Tuesday, May 09, 2017 2:11 AM +0000 "Real, Elizabeth (392K)"
<Elizabeth.Real@jpl.nasa.gov> wrote:
Hi Elizabeth,
If "ldap://" is secure already then I do not need to proceed further.
That says nothing about whether or not your configuration is secure.
Again, if it is "ldap://" with the startTLS LDAPv3 extension, and you've
configured it be required that it succeed, then it is secure. You've not
provided the information that would be necessary to make such a
determination. I would again advise reading the slapd-config(5) man page
for the olcSyncRepl attribute, specifically the bits on the starttls,
tls_cacert/tls_cacertdir, tls_cipher_suite, and tls_protocol_min
configuration parameters.
You may also want to set olcSecurity (A value of "ssf=1" requires any and
all connections to the server be encrypted). Changing this value from the
default requires a server restart for it to go into effect.
SSLv3
TLSv1.2
Those look like protocol versions, not cipher suites. ;)
Why is version 2.4.40 unsafe for multi-master replication? I can upgrade
at a later time I just wanted to find out how to enable ldaps between the
two servers.
You can read through the OpenLDAP Release notes here:
<http://www.openldap.org/software/release/changes.html>
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>