RE: Security, SSF and localhost lookups

[M Butcher <mbutcher@grcomputing.net>]

On Wed, 2003-05-07 at 18:07, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of M Butcher
> >
> > If there is a way to do replication over LDAPS, then I can
> > probably get
> > around the security settings that way.
> >
> > Is there a way to do that?
> 
> Yes, but not using slapd.conf. See the ldap.conf(5) manpage, look at the TLS
> option. If you set it to "yes" then all LDAP connections will be opened as
> LDAPS sessions instead. You can set this in an environment variable before
> slurpd starts, or you can set it in an "ldaprc" file stored in the directory
> where slurpd executes.

This makes sense. However, I can't get it to work.

Relevant part of ldap.conf:
BASE    dc=mydomain,dc=net
HOST    127.0.0.1

TLS_CACERT /usr/share/ssl/certs/cacert.pem
TLS    hard


Relevant part of slapd.conf:
	
replica host=slave1.mydomain.net
        tls=critical
        binddn="cn=Replica,dc=mydomain,dc=net"
        bindmethod=simple
        credentials=secret

(Platform, BTW, is RH Linux 7.3 w/ OpenLDAP 2.1.17)

With this configuration, I never see traffic over LDAPS. E.g. using
'tcpdump host slave1.mydomain.net port ldaps' never logs any traffic,
but doing the same thing on the ldap port shows a small amount of
traffic -- enough to set up an SSL connection. But data is not getting
replicated, and no errors are being reported in the logs.

Am I missing a step? Should tls=critical be removed? Do I need to
manually set the port number to 636 in slapd.conf?

Thanks for the help.

Matt

-- 
M Butcher <mbutcher@grcomputing.net>