[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl with SASL External - SOLVED

To: openldap-software@openldap.org
Subject: Re: Syncrepl with SASL External - SOLVED
From: Angela Gavazzi <edv@goetheanum.ch>
Date: Wed, 7 Mar 2007 10:53:33 +0100
Content-disposition: inline
In-reply-to: <45EDAE0B.2000909@sys-net.it>
Organization: Allgemeine Anthroposophische Gesellschaft
References: <200703061714.04727.edv@goetheanum.ch> <45EDAE0B.2000909@sys-net.it>
User-agent: KMail/1.9.1

Am Dienstag, 6. MÃrz 2007 19:08 schrieb Pierangelo Masarati:
> Angela Gavazzi wrote:
> > I found out that the problem was double encrypting of the connection:
>
> What does it mean "double encrypting of the connection"?
I mean that if I "force" encryption with demand on the provider and on the 
consumer, then I think the consumer tries to encrypt an encrypted connection. 
When I use allow on the consumer it works and is encryptet, I checked it with 
tcpdump.

>
> > It works now if I set TLSVerifyClient to max. allow on the consumer side.
> > All stronger configurations end in:
> > CA unknown.
>
> This makes much more sense: your TLS configuration is broken.  Are you
> using a self-signed certificate?  Or, is your certificate signed by the
> CA to whom the certificate pointed by TLSCACertificateFile belongs?

The certificate is signed by the CA pointed by TLSCACertficateFile.

Angela
> > Thanks anyway
> >
> > Angela
> >
> >
> > Here the concerning parts of the slapd.conf:
> > *****************************************************************
> > master:
> > ...
> >
> > ...
> > TLSCACertificateFile    /etc/ldap/certs/cacert.pem
> > TLSCACertificatePath    /etc/ldap/certs
> > TLSCertificateFile      /etc/ldap/certs/erde.aag_cert.pem
> > TLSCertificateKeyFile   /etc/ldap/certs/erde.aag_key.pem
> >
> > TLSVerifyClient         demand
> >
> > *****************************************************************
> >  slave:
> >
> >
> > TLSCACertificateFile    /etc/ldap/certs/cacert.pem
> > TLSCACertificatePath    /etc/ldap/certs
> > TLSCertificateFile      /etc/ldap/certs/mond.aag_cert.pem
> > TLSCertificateKeyFile   /etc/ldap/certs/mond.aag_key.pem
> >
> > ##################
> > TLSVerifyClient         demand
> > ##################
> >
> > This has to be set to max allow.
>
> ... to disallow certificate checking.  Fine if that's what you want.
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------

Follow-Ups:
- Re: Syncrepl with SASL External - SOLVED
  - From: Howard Chu <hyc@symas.com>

References:
- Syncrepl with SASL External - SOLVED
  - From: Angela Gavazzi <edv@goetheanum.ch>
- Re: Syncrepl with SASL External - SOLVED
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: syncrepl updates from consumer
Next by Date: openldap 2.2 master and (many) openldap 2.0 slaves
Index(es):
- Chronological
- Thread