[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS Replication that works for me (was Re: )
Hi, thanks for your reply!
I've got replication working, and I have the certificates generated. No
problems there.
The slapd.conf details are I'm sure where I'm out in the weeds.
Specifically, I didn't know about this
tls=critical # TLS = SSL-on-request, basically
Thanks a lot for this information, I'll give it a shot right now.
Daniel Crandall
Unix/Network Administrator
Texas Department of Housing and Community Affairs.
512-305-8574
dcrandal@tdhca.state.tx.us
-----Original Message-----
From: John Beamon [mailto:jbeamon@franklinamerican.com]
Sent: Wednesday, May 14, 2003 10:15 AM
To: openldap-software@OpenLDAP.org
Subject: Re: TLS Replication that works for me (was Re: )
Daniel Crandall wrote:
> Hi,
>
> I'm having trouble figuring out how to use TLS to encrypt update
> transmissions between the master and the slaves.
>
> I do have certificates, and references to them in slapd.conf. Beyond
> that I'm at a loss. Help?
>
>
>
> Daniel
>
I feel your pain. I just learned this myself.
First, you want to get replication working without TLS. Assuming you
might need a tiny bit of help with that, it can be done as follows.
master:/path/slapd.conf
...
replica host=replica_server.domain.com
binddn="cn=slave,dc=domain,dc=com"
bindmethod=simple
credentials=password
replogfile /path/slurpd.replog # (/var/lib/ldap/replica/slurpd.replog in
Red Hat Linux)
slave:/path/slapd.conf
...
rootbinddn "cn=slave,dc=domain,dc=com"
rootpw password
updatedn "cn=slave,dc=domain,dc=com"
updateref ldap://master_server.domain.com
There are more elegant and secure ways of enabling the updatedn than
making it rootdn on the replica box, but anything other than rootdn will
involve an ACL to give that dn permission to write to everything.
Second, you need certificates. Certs can be generated from an openssl
rpm installation by running 'make' in /usr/share/ssl and following the
instructions. You might need an official cert request (.csr) to send to
Verisign, or you might only want a test cert. There was a three-part
article by AEleen Frisch (author of the Armadillo Book) on setting up
LDAP in Linux Magazine, early 2002. The page with ssl cert generation
is here:
http://www.linux-mag.com/cgi-bin/printer.pl?issue=2002-03&article=guru
Follow the SSL cert generation part exactly, and it's a piece of cake.
I've made a few other observations, though, that diverge from her
article. Everywhere I read about it, everyone says that replication in
openldap-2.x does not work with encrypted credentials. So... the tail
of my slapd.conf's looks like this.
master:/path/slapd.conf
...
replica host=replica_server.domain.com
tls=critical # TLS = SSL-on-request, basically
binddn="cn=slave,dc=domain,dc=com"
bindmethod=simple
credentials=password
replogfile /path/slurpd.replog
TLSCertificateFile /usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
slave:/path/slapd.conf
...
rootbinddn "cn=slave,dc=domain,dc=com"
rootpw password
updatedn "cn=slave,dc=domain,dc=com"
updateref ldap://master_server.domain.com
TLSCertificateFile /usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
This works for me. Your mileage may vary a little, and there are
certainly more sophisticated ways of doing it. Anyone else is welcome
to add to this.
-j