Re: syncrepl with x509 certificates

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Mon, 21 Jan 2008, Alex Samad wrote:
> > Howard Chu <hyc@symas.com> wrote:
> >
> > > > a) a way to specify another certificate to use in the syncrepl config
> > > In OpenLDAP 2.4, yes. Read the manpage.
...
> There seems to be 2 scenario's that a cert is used,
>
> 1) as a server to verify that you have connected to the right machine 
> and to ensure you packets are encrypted.  This requires a certificate 
> with purpose SSL Server
>
> 2) as a client when a ldap server in a syncrepl setup is talking to the 
> master server. This requires a certificate with purpose SSL Client.

Correct.

> I am trying to find out if it is possible to use a different certificate 
> for the syncrepl process, but I can't find it.

To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP 
version 2.4.  If you're running 2.3 or earlier than it is not possible, 
period.  Since the manpage you quoted in another message did not show the 
required suboptions, you apparently aren't running 2.4.  Your choices now 
are to either:
A) upgrade to 2.4 and use the new suboptions, or
B) continue to use the same cert for the two 'scenarios' you gave above.


> Maybe its in saslmech option.

The saslmech suboption has no effect on the cert used.  (Why would it? 
SASL is logically at the layer above SSL.)


Philip Guenther