[Date Prev][Date Next] [Chronological] [Thread] [Top]

Method for specifying SyncRepl use of TLS (ITS#3293)



Full_Name: Matthew J. Smith
Version: 2.2.15
OS: SuSE Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (137.99.80.243)


  In the SyncRepl configuration section of slapd.conf, there is no way to
specify whether SyncRepl uses TLS or not.  It seems to use it automatically if
it is available. A flag specifying would be very useful, allowing one to specify
a plain-text replication (over a secured network, say) from a master that
normally provides TLS.

  My current issue is trying to build a new master that will be swapped in place
of the current master.  The new master has an SSL certificate using the current
master's CN (ldap.uconn.edu), so that the swap will be seamless.  However, I
need to establish SyncRepl replication to a new replica.  The new replica cannot
correctly use TLS to the master, because the cert CN does not match the
DNS-resolved FQDN.

  Currently, this will be overcome with /etc/hosts trickery, but a TLS flag
would be simpler (for me).