Re: syncrepl with tls (documentation addition request)

[Howard Chu <hyc@symas.com>]

Terry L. Inzauro wrote:

> is there a way to specify different client certificates in slapd.conf 
> than the servers tls certificates for the purpose of syncrepl?

This is a bit of a mess in OpenLDAP up to 2.3. It's being fixed in 2.4.

In 2.3, the settings in /etc/openldap/ldap.conf (along with ~/.ldaprc 
etc...) are read in first, and then any TLS settings in the slapd config 
are processed last. The slapd code then creates a dedicated TLS context 
for itself, separate from the default TLS context that libldap uses. It 
appears that there's a missing step here, we ought to explicitly 
initialize libldap's context before reading the slapd config and 
initializing slapd's own context, and that isn't being done. The result 
is that the settings in the slapd config replace whatever was set in 
ldap.conf and the slapd certificates are used in both contexts.

In the 2.4 release I've added config options to setup explicit TLS 
contexts for the syncrepl consumer, and I'm in the midst of adding these 
options for back-ldap as well. This will give you explicit control over 
the certificate configurations for everything that can use TLS in slapd.

We can probably patch 2.3 to avoid having the same slapd certificate 
settings used everywhere, but you'll still need to use ~/.ldaprc to 
configure the client cert for syncrepl until 2.4 is released.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/