[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl with x509 certificates

To: openldap-software@openldap.org
Subject: Re: syncrepl with x509 certificates
From: Alex Samad <alex@samad.com.au>
Date: Mon, 21 Jan 2008 15:57:17 +1100
Content-disposition: inline
In-reply-to: <47941542.5070204@symas.com>
Mail-followup-to: openldap-software@openldap.org
References: <20080120103102.GC25063@samad.com.au> <47941542.5070204@symas.com>
User-agent: Mutt/1.5.17 (2007-11-01)

On Sun, Jan 20, 2008 at 07:45:06PM -0800, Howard Chu wrote:
> Alex Samad wrote:
>> Hi
>>
>> I am trying to build a network of ldap nodes sync with syncrepl using x509
>> certificates.
>>
>> I ran into a problem when I setup the first slace node, I create a certificate
>> that did not have SSL Client purpose, but did have SSL Server purpose - I am
>> presuming it is this, because 2 certificates made exactly the same way, 1 fails
>> - the non SSL Client and the other works the one that has the SSL Client
>>    purpose.
>>
>> I am presuming that I need both purposes SSL Server and SSL Client - the former
>> to allow ldaps usage and the later for making ldap request and being a client
>> in a syncrepl scenario.
>>
>> Is there
>>
>> a) a way to specify another certificate to use in the syncrepl config
>
> In OpenLDAP 2.4, yes. Read the manpage.
	   syncrepl  rid=<replica  ID>  provider=ldap[s]://<hostname>[:port]   
[type=refreshOnly|refreshAndPersist]   [interval=dd:hh:mm:ss]
			  [retry=[<retry  interval>  <#  of retries>]+] searchbase=<base 
DN> [filter=<filter str>] [scope=sub|one|base] [attrs=<attr
			  list>]    [attrsonly]    [sizelimit=<limit>]    
[timelimit=<limit>]    [schemachecking=on|off]     [starttls=yes|critical]
			  [bindmethod=simple|sasl]  [binddn=<dn>] [saslmech=<mech>] 
[authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
			  [realm=<realm>]        [secprops=<properties>]        
[logbase=<base         DN>]         [logfilter=<filter         str>]
			  [syncdata=default|accesslog|changelog]
			  Specify  the  current  database  as a replica which is kept 
up-to-date with the master content by establishing the current
			  slapd(8) as a replication consumer site running a syncrepl 
replication engine.  The replica content is  kept  synchronized
			  to  the  master content using the LDAP Content Synchronization 
protocol. Refer to the "OpenLDAP Administratorâs Guide" for
			  detailed information on setting up a replicated slapd directory  
service  using  the  syncrepl  replication  engine.   rid
			  identifies  the  current  syncrepl directive within the 
replication consumer site.  It is a non-negative integer having no
			  more than three digits.  provider specifies the replication 
provider site containing the master content as an LDAP URI. If
			  <port>  is  not  given, the standard LDAP port number (389 or 
636) is used. The content of the syncrepl replica is defined
			  using a search specification as its result set. The consumer 
slapd  will  send  search  requests  to  the  provider  slapd
			  according  to  the  search  specification.  The search 
specification includes searchbase, scope, filter, attrs, attrsonly,
			  sizelimit, and timelimit parameters as in the normal search 
specification.  The scope defaults to sub, the filter defaults
			  to  (objectclass=*),  and  there  is  no  default  searchbase.  
The  attrs  list  defaults to "*,+" to return all user and
			  operational attributes, and attrsonly is unset by default.  The  
sizelimit  and  timelimit  only  accept  "unlimited"  and
			  positive  integers,  and  both default to "unlimited".  The LDAP 
Content Synchronization protocol has two operation types.
			  In the refreshOnly operation, the next synchronization search 
operation is periodically rescheduled at  an  interval  time
			  (specified   by   interval  parameter;  1  day  by  default)  
after  each  synchronization  operation  finishes.   In  the
			  refreshAndPersist operation, a synchronization search remains 
persistent in the provider slapd.  Further  updates  to  the
			  master  replica  will  generate  searchResultEntry  to  the  
consumer  slapd  as  the  search  responses to the persistent
			  synchronization search.  If an error occurs during replication, 
the consumer will attempt to reconnect  according  to  the
			  retry  parameter  which is a list of the <retry interval> and <# 
of retries> pairs.  For example, retry="60 10 300 3" lets
			  the consumer retry every 60 seconds for the first 10 times and 
then retry every 300 seconds for the next  3  times  before
			  stop  retrying.  The  â+â  in <# of retries> means indefinite 
number of retries until success.  The schema checking can be
			  enforced at the LDAP Sync consumer site by turning on the 
schemachecking parameter. The  default  is  off.   The  starttls
			  parameter  specifies  use of the StartTLS extended operation to 
establish a TLS session before Binding to the provider. If
			  the StartTLS request fails and the critical argument was used, 
the session will be aborted. Otherwise the syncrepl session
			  continues  without  TLS.   A bindmethod of simple requires the 
options binddn and credentials and should only be used when
			  adequate security services (e.g. TLS or IPSEC) are in place.  
REMEMBER: simple bind credentials must be in  cleartext!   A
			  bindmethod  of  sasl  requires  the  option  saslmech.   
Depending  on  the  mechanism,  an authentication identity and/or
			  credentials can be specified using authcid and credentials.  The 
authzid parameter may be used to specify an authorization
			  identity.   Specific  security  properties  (as  with the 
sasl-secprops keyword above) for a SASL bind can be set with the
			  secprops option. A non default SASL realm can be set with the 
realm option.

			  Rather than replicating whole entries, the consumer can query 
logs of  data  modifications.  This  mode  of  operation  is
			  referred  to  as  delta  syncrepl.  In  addition to the above 
parameters, the logbase and logfilter parameters must be set
			  appropriately for the log that will be used. The syncdata 
parameter must be set to either "accesslog" if the log  conforms
			  to the slapo-accesslog(5) log format, or "changelog" if the log 
conforms to the obsolete changelog format. If the syncdata
			  parameter is omitted or set to "default" then the log parameters 
are ignored.

This is the syncrep section of my man page for openssl.conf. Sorry but I can't 
find the section that tells me where to point to a different certificate file.  
I use TLSCertificateFile to point to the certificate that is used for the 
ldaps:// part ie acting as a server. 


>
>> b) a way to not check for the SSL Client purpose in the certificate
>
> That's a function of the SSL library; I would guess not.
>
>> For now I am going to create on that has both purposes ...
>
>> Alex
>>
>
>
> -- 
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP     http://www.openldap.org/project/
>

-- 
"And if you're interested in the quality of education and you're paying attention to what you hear at Laclede, why don't you volunteer? Why don't you mentor a child how to read?"

	- George W. Bush
01/05/2004
St. Louis, MO

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: syncrepl with x509 certificates
  - From: Howard Chu <hyc@symas.com>

References:
- syncrepl with x509 certificates
  - From: Alex Samad <alex@samad.com.au>
- Re: syncrepl with x509 certificates
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: syncrepl with x509 certificates
Next by Date: Re: syncrepl with x509 certificates
Index(es):
- Chronological
- Thread