[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slurpd and TLS/SSL





--On Thursday, October 13, 2005 12:34 PM -0400 Jim Seymour <jseymour@linxnet.com> wrote:

Hi All,

I got replication working on port 389.  I can talk to the replica server
on port 636 using SSL with JXplorer.  But when I try to use port 636
for replication, replication silently fails.  (The "silently" part is
especially bothersome :(.)

Both servers have self-signed certs, if that matters.

I found an item about how slurpd must use TLS on port 389, as opposed
to SSL on port 636, and went back to port 389.  Tcpdump revealed the
connection was not encrypted.

I tried "uri=https://host.example.com:389"; and that, too, failed
silently.

This would be SSL over port 389, not TLS over 389.

Also, ldap URI's use "ldaps://" or "ldap://"; not "https". Of course, that is quite clearly documented in the slapd man page:

replica
         uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
         [starttls=yes|critical]     [suffix=<suffix>     [...]]
         bindmethod=simple|sasl       [binddn=<simple       DN>]
         [credentials=<simple password>] [saslmech=<SASL  mech>]
         [secprops=<properties>]                 [realm=<realm>]
         [authcId=<authentication  ID>]  [authzId=<authorization
         ID>] [attr[!]=<attr list>]

So if you want to use TLS, you'd use:

uri="ldap://...."; starttls=yes

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin