[Date Prev][Date Next] [Chronological] [Thread] [Top]

not so clear about tls and replica



Hi,
        Can someone give me some opinions on my OpenLDAP setup ( with some 
questions on OpenLDAP).  I setup OpenLDAP with TLS and it is working fine. 
 However, there are few questions that I am not sure about how TLS working 
and some questions about slave replication.

1. when client connect to OpenLDAP server with TLS, does it use port 389 
or port 636?  ( I tried to test it with  "openssl s_client -connect 
ldap.example.com:389 blah blah.. ".  when I used port 389, it faild but 
port 636 is ok.   Does it mean TLS always use port 636? )

2. I run my OpenLDAP server on both port 389 and 636 ( again with TLS ). I 
have set "TLSVerifyClient demand".  However, people can still search my 
directory on port 389 as anonymous.  I thought with "TLSVerifyClient 
demand", client need to have a valid certificate in order to connect to 
the server. is that right?

3. I have replication working between master/slave but I think the way I 
am setting the replication is not very secure.  can someone suggest a 
better way to replica between the master/slave.  Perphar something simple 
without Kerberos ,etc... :)

4. on my slave's slapd.conf.  I have this "updateref 
ldap://server.example.com"; but I don't think this is right as I am using 
TLS.  I will assume this should be "updateref ldaps://server.example.com"


thanks



here is my slapd.conf files

On master:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/server.example.com.ldap.crt
TLSCertificateKeyFile /etc/openldap/server.example.com.ldap.key
TLSVerifyClient demand
database        bdb
suffix          "dc=Corporate,dc=example,dc=COM"
rootdn          "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
rootpw {SSHA}1234567890
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
replica uri=ldap://client.example.com:389
        binddn="uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
        bindmethod=simple credentials=secret
replogfile /var/lib/ldap/openldap-master-replog

access to dn.one="ou=People,dc=Corporate,dc=example,dc=COM"
        attr=userPassword,shadowLastChange
        by self write
        by * auth
access to *
        by group.base="uid=root,ou=People,dc=Corporate,dc=example,dc=COM" 
write
        by * read

lastmod on
sizelimit 1000




On Slave:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/certs/client.example.com.ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/client.example.com.ldap.key
TLSVerifyClient demand
database        bdb
suffix          "dc=Corporate,dc=example,dc=COM"
rootdn          "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
rootpw {SSHA}1234567890
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
updatedn "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
updateref ldap://server.example.com

access to dn.one="ou=People,dc=Corporate,dc=example,dc=COM"
        attr=userPassword,shadowLastChange
        by self write
        by * auth
access to *
        by group.base="uid=root,ou=People,dc=Corporate,dc=example,dc=COM" 
write
        by * read

lastmod on
sizelimit 1000