[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Replication that works for me (was Re: )

To: openldap-software@OpenLDAP.org
Subject: Re: TLS Replication that works for me (was Re: )
From: John Beamon <jbeamon@franklinamerican.com>
Date: Wed, 14 May 2003 10:15:13 -0500
In-reply-to: <E966E4B4952CD611A51600065B05F33C01BA713A@taz.tdhca.state.tx.us>
Organization: Franklin American Mortgage
References: <E966E4B4952CD611A51600065B05F33C01BA713A@taz.tdhca.state.tx.us>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312

Daniel Crandall wrote:

Hi,
I’m having trouble figuring out how to use TLS to encrypt update transmissions between the master and the slaves.

I do have certificates, and references to them in slapd.conf. Beyond that I’m at a loss. Help?
Daniel


I feel your pain.  I just learned this myself.

First, you want to get replication working without TLS. Assuming you might need a tiny bit of help with that, it can be done as follows.

master:/path/slapd.conf ... replica host=replica_server.domain.com binddn="cn=slave,dc=domain,dc=com" bindmethod=simple credentials=password replogfile /path/slurpd.replog # (/var/lib/ldap/replica/slurpd.replog in Red Hat Linux)

slave:/path/slapd.conf
...
rootbinddn	"cn=slave,dc=domain,dc=com"
rootpw		password
updatedn	"cn=slave,dc=domain,dc=com"
updateref	ldap://master_server.domain.com

There are more elegant and secure ways of enabling the updatedn than making it rootdn on the replica box, but anything other than rootdn will involve an ACL to give that dn permission to write to everything.

Second, you need certificates. Certs can be generated from an openssl rpm installation by running 'make' in /usr/share/ssl and following the instructions. You might need an official cert request (.csr) to send to Verisign, or you might only want a test cert. There was a three-part article by AEleen Frisch (author of the Armadillo Book) on setting up LDAP in Linux Magazine, early 2002. The page with ssl cert generation is here: http://www.linux-mag.com/cgi-bin/printer.pl?issue=2002-03&article=guru

Follow the SSL cert generation part exactly, and it's a piece of cake. I've made a few other observations, though, that diverge from her article. Everywhere I read about it, everyone says that replication in openldap-2.x does not work with encrypted credentials. So... the tail of my slapd.conf's looks like this.


master:/path/slapd.conf
...
replica	host=replica_server.domain.com
	tls=critical		# TLS = SSL-on-request, basically
	binddn="cn=slave,dc=domain,dc=com"
	bindmethod=simple
	credentials=password
replogfile /path/slurpd.replog
TLSCertificateFile	/usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile	/usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite		HIGH:MEDIUM:+SSLv2

slave:/path/slapd.conf
...
rootbinddn	"cn=slave,dc=domain,dc=com"
rootpw		password
updatedn	"cn=slave,dc=domain,dc=com"
updateref	ldap://master_server.domain.com
TLSCertificateFile	/usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile	/usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite		HIGH:MEDIUM:+SSLv2

This works for me. Your mileage may vary a little, and there are certainly more sophisticated ways of doing it. Anyone else is welcome to add to this.

-j

Follow-Ups:
- openldap compile
  - From: Joaquin Henriquez Alzola <joaquin.henriquez-alzola@ree.ericsson.se>

References:
- [no subject]
  - From: Daniel Crandall <dcrandal@tdhca.state.tx.us>

Prev by Date: [no subject]
Next by Date: Re: How to guess the READ-ONLY mode ?
Index(es):
- Chronological
- Thread