[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Method for specifying SyncRepl use of TLS (ITS#3293)



Default is not to use starttls.
Starttls will not be used unless it is specified in the syncrepl definition.
- Jong-Hyuk

>Can starttls be set to 'no' for scenarios where I want to force
>plain-text?  What is the default if not specified?  Please note, I just
>openned ITS #3293 requesting such a parameter.
>
>Thanks for the info,
>-Matt

----- Original Message ----- 
From: <matt.smith@uconn.edu>
To: <openldap-its@OpenLDAP.org>
Sent: Friday, August 20, 2004 11:59 AM
Subject: Method for specifying SyncRepl use of TLS (ITS#3293)


> Full_Name: Matthew J. Smith
> Version: 2.2.15
> OS: SuSE Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (137.99.80.243)
>
>
>   In the SyncRepl configuration section of slapd.conf, there is no way to
> specify whether SyncRepl uses TLS or not.  It seems to use it
automatically if
> it is available. A flag specifying would be very useful, allowing one to
specify
> a plain-text replication (over a secured network, say) from a master that
> normally provides TLS.
>
>   My current issue is trying to build a new master that will be swapped in
place
> of the current master.  The new master has an SSL certificate using the
current
> master's CN (ldap.uconn.edu), so that the swap will be seamless.  However,
I
> need to establish SyncRepl replication to a new replica.  The new replica
cannot
> correctly use TLS to the master, because the cert CN does not match the
> DNS-resolved FQDN.
>
>   Currently, this will be overcome with /etc/hosts trickery, but a TLS
flag
> would be simpler (for me).
>
>