[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
updateref and TLS: Is it possible?
Question: Is the use of TLS possible when specifying an updateref?
Problem: Updateref's do not work if security tls=128 is defined in
slapd.conf, even though ldapsearches using TLS work (eg ldapsearch -LLL -x
-ZZ -h ldap2.lab.sboss.org "(cn=johndoe)" uid).
Setup:
ldap.lab.sboss.org - load balancer
ldap1.lab.sboss.org - LDAP master
ldap2.lab.sboss.org - LDAP slave
For testing purposes, I am pointing ldap.conf's to ldap2 though in time
they'll point to ldap.
Master server:
replica host=ldap2.lab.sboss.org:389
tls=yes
suffix="dc=sboss,dc=org"
binddn="cn=admin,dc=sboss,dc=org"
credentials=somepassword
bindmethod=simple
replogfile /var/lib/ldap/master-slapd.replog
Slave server:
updatedn "cn=admin,dc=sboss,dc=org"
updateref ldap://ldap1.lab.sboss.org
Replicating from master to slave works fine as, using ethereal, I can see
that the packets are encrypted. The updateref is a different matter.
The ldap.conf on the test client box looks something like this (pointed to
the slave for testing purposes only):
host ldap2.lab.sboss.org
base dc=sboss,dc=org
pam_filter objectclass=account
pam_groupdn cn=PAM,ou=Group,dc=sboss,dc=org
ssl start_tls
tls_ciphers HIGH
pam_password md5
If I include something like "security tls=128" in the slapd.conf on either
box, attempts to change one's password fails with this on the master:
slapd[13600]: conn=4 op=0 RESULT tag=97 err=13 text=TLS confidentiality
required
Shouldn't the client automatically negotiate a TLS connection with the
server once it gets the updateref on the basis of the 'ssl start_tls'
section in its ldap.conf?
--
Brian