[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Require use of SSL..



And speaking of SSL, I have another issue I'd like to discuss. Okay, when I
generate a cert I specify the hostname. This locks the SSL cert to that
hostname. For the LDAP service I am using RRDNS. So I have servers like
dir1, dir2, dir3, but the service is connected to as dir. So this means when
I create the cert I need to create it as "dir" and use that cert for dir1,
dir2, dir3.

When specifying a replica host I need to specify the real hostname (e.g.,
dir2). I can't specify dir since this will result in a RRDNS hit which could
definitely lead to replication failing. (For one thing, you can't replicate
to yourself.)

Is there a solution?

How do I handle SSL, replication, and RRDNS at once? Is there a way around
this?

Here is the first line of my replica line:

replica         host=dir2.example.com:389

When creating the SSL cert I used the hostname dir.example.com so that
anyone could use "dir.example.com" and RRDNS would return some random LDAP
server.

----- Original Message -----
From: "adp" <dap99@i-55.com>
To: <openldap-software@OpenLDAP.org>
Sent: Monday, March 08, 2004 12:01 AM
Subject: Require use of SSL..


> I have been studying 'require' for slapd, but it doesn't appear to do what
I
> want. Hopefully someone can help here. I want to force all connections to
be
> over SSL. Is there an easy way to do this? I know that OpenLDAP supports
> both ldaps (just ldap over SSL on port 636 from what I can see) and
StartTLS
> (port 389). What I can't see is how to enforce the use of StartTLS. Also,
is
> there any reason why this would be a bad idea? We are using LDAP mostly to
> auth user logins (not yet actually).
>
>
>