[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Replication with slurpd - problems using TLS



Thanks for the response.  I still don't understand the need to use ldaps
at all though, but I will try it and see if it works.  At this point though
I feel like I'm engaging in voodoo administration because I really have no
understanding of why I'd need ldaps for this.

Also I don't have a slurpd.conf file, have never heard of one - all I did
was to add lines to the slapd.conf file on the master, I didn't create a 
seperate slurpd.conf file.  Both my master and slave servers in the 
replication scenario I am working with do have TLSCACertificateFile
specified though, which is what I think you meant.  

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Thursday, June 19, 2003 4:19 PM
To: Lawrence, Mike (White Plains); openldap-software@OpenLDAP.org
Subject: RE: Replication with slurpd - problems using TLS




--On Thursday, June 19, 2003 4:06 PM -0400 "Lawrence, Mike (White Plains)" 
<Mike.Lawrence@starwoodhotels.com> wrote:

>
> Hi Quanah - I will give it a shot, but I think I am very confused as to
> what is going on with openldap/SSL/TLS in general.  I don't have ldaps
> turned on at all and TLS works fine over port 389 for ssh user
> authentication
> when the user is in ldap.  And actually, that was the only way I was ever
> able to get TLS working, was to basically abandon ldaps and port 636 and
> just run ldap on 389 with start_tls in the /etc/ldap.conf file.  So I am
> very preplexed when you tell me that slurpd needs to do TLS over port 636
> (and this also seems to run contrary to the way I it is done in the
> O'Reilly LDAP book).  So I will try it but I am very confused as to why :)
>
> If anyone else has any insight into getting TLS turned on with slurpd I
> would really appreciate it, I have been away from my LDAP project for a
> few weeks and am back at this brick wall now trying to scale over it.
> Thanks!
>

ldaps:// does tls over 389.  Also, do you specify TLSCACertificateFile in 
your slurpd.conf?

>From our conf files:

master:
----------
replica         host=ldap9.stanford.edu:389
                tls=yes bindmethod=sasl
 
binddn=cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu 
saslmech=gssapi


slave:
--------
# Replica Directives

updatedn        cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
updateref       ldaps://ldap-master.stanford.edu



I.e.,
master:
-------
replogfile      /opt/csw/var/openldap-slurp/replica/slapd.replog

replica         host=10.14.12.33:389
                suffix="dc=webtech,dc=com"
                binddn="cn=replica,dc=webtech,dc=com"
                credentials=secret
                bindmethod=simple
 	        tls=yes


slave:
-------
rootdn		"cn=replica,dc=webtech,dc=com"
rootpw		{crypt}JOEAfuddHpilE
updatedn	"cn=replica,dc=webtech,dc=com"
updateref	ldaps://10.14.12.32





--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.