[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl with ssl



Dieter Kluenter wrote:
James <james@nttmcl.com> writes:

Dieter Kluenter wrote:
Hi,

James <james@nttmcl.com> writes:


Dieter Kluenter wrote:

"Dieter Kluenter" <dieter@dkluenter.de> writes:



James <james@nttmcl.com> writes:

[...]

And what is the TLS part of the consumer slapd.conf looking like?


Sorry, my fault, it should read ldap.conf

-Dieter



timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,postfix,messagebus
URI ldaps://master.example.com
BASE dc=example,dc=com
ldap_version 3
pam_password exop
ssl on
tls_ciphers  HIGH:MEDIUM:+SSLv2:RSA
tls_checkpeer no
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT allow

Most of this are not valid parameters for OpenLDAP. This file is a
mixture of pam_ldap.conf and openldap/ldap.conf

does that cause problems? because i just symlink libnss-ldap.conf and
pam_ldap.conf to ldap.conf for ease of management
If it does cause problems can you give me an example of what to
separate out where?

It may cause problems in so far, that clients may refuse to recognise the file contents as valid parameters. You may strace or truss the slapd pid to view the files opend and read.

-Dieter

just for reference in case anybody else happens to have this little problem.
I solved it by stripping the password from the key ssl files on the master and slave servers running ldaps: so that they didn't prompt for password when i start slapd
like:
openssl rsa -in master.key -out master.key.clear