Re: Slurpd and TLS/SSL

[jseymour@linxnet.com (Jim Seymour)]

Following-up to myself...

jseymour@linxnet.com (Jim Seymour) wrote:
> 
> 
> Howard Chu <hyc@symas.com> wrote:
> > 
> [snip]
> > 
> > All that matters is that both servers are properly configured to 
> > recognize/accept each other's certs. However, it's usually a bad idea to 
> > use self-signed certs for servers. Any time you need to use more than 
> > one cert you should create an actual CA cert and use it to sign all the 
> > others that you'll use.
> [snip]
> 
> All in good time.  But thanks for the suggestion.

Maybe sooner, rather than later.  Read on...

> 
> > Remember that slurpd is an LDAP client, not an LDAP server. It only 
> > extracts a few bits of info out of slapd.conf, the rest of its 
> > configuration (including TLS parameters) must be set via ldap.conf.
> 
> Got here O'Reilly's "LDAP System Administration" (now rather
> out-of-date, but still useful) and the OpenLDAP.org admin guide.
> Neither mentions anything about ldap.conf in relation of replication.
[snip]

So I did a "man ldap.conf" and started experimenting with TLS_REQCERT.
Values of "never" and "allow" resulted in TLS working.  A value of
"try" did not.  I'm certain "demand" or "hard" would likewise fail.

NB: One must remember to restart slurpd after each change ;).

So, I've some more homework to do.  (I'm inclined to wonder how many
admins *think* they've got encrypted connections between slurpd and
remote slapd's, and really don't?  How many admins go to the trouble
of doing a tcpdump/snoop/ethereal/whatever to see what's actually
happening?)

I need to look into forcing encryption.  (No, don't tell me.  I know
I've read it somewhere.  I'll find it again. ;).)

Thanks for the feedback, guys.

Jim