[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Secure replication via TLS/SSL
Hello James,
Wednesday, October 02, 2002, 6:19:39 PM, you wrote:
JS> Hello all,
JS> i am using openldap-2.1.3 on solaris 9 and have setup master and slave
JS> instance to operate on high ports to be able to start it as non-root.
JS> the master log has the following directive:
JS> replica host=somemachine.columbia.edu:9050
JS> binddn="cn=replicator,dc=myorg,dc=org"
JS> bindmethod=simple credentials=xxxxx
JS> tls=yes
JS> 1) if master is started with ldaps:// and slave is ldap:// the
JS> replication works but i am still not convinced that the data is passed
JS> securely using tls. i tried logging this communication with a high debug
JS> level but it is still unclear if the tls=yes makes any difference.
JS> 2) if both are ldaps:// the replication does not work.
JS> i would appreciate any info on this!
JS> - James
You can disable insecure (plain-text) ldap:// scheme completely on
the slave (and master) and avoid STARTTLS completely.
Your slurpd should have according settings (TLS=hard).
Set up slave with ldaps:// on port 9051, for instance.
Set up replica something like this:
=cut
replica host=somemachine.columbia.edu:9051
binddn="cn=replicator,dc=myorg,dc=org"
bindmethod=simple credentials=xxxxx
=cut
Make appropriate .conf for slurpd and name it slurpd.conf:
=cut
TLS hard
TLS_CACERT /path/to/CA-CERT
# TLS_CERT /path/to/client.cert
# TLS_KEY /path/to/client.key
# TLS_REQCERT hard
=cut
It's highly recommended to use all of the above options.
Run slurpd with special conf:
=cut
#!/bin/sh
LDAPRC=/path/to/slurpd.conf /path/to/slurpd -f /path/to/slapd.conf
=cut
Read more in the archive:
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/200208/msg00285.html
--
Best regards,
Peter mailto:spam4octan@highway.ru