On Mon, Jan 21, 2008 at 04:53:15PM -0700, Philip Guenther wrote: > On Mon, 21 Jan 2008, Alex Samad wrote: >>> Howard Chu <hyc@symas.com> wrote: >>> >>>>> a) a way to specify another certificate to use in the syncrepl config >>>> In OpenLDAP 2.4, yes. Read the manpage. > ... >> There seems to be 2 scenario's that a cert is used, >> >> 1) as a server to verify that you have connected to the right machine and >> to ensure you packets are encrypted. This requires a certificate with >> purpose SSL Server >> >> 2) as a client when a ldap server in a syncrepl setup is talking to the >> master server. This requires a certificate with purpose SSL Client. > > Correct. > >> I am trying to find out if it is possible to use a different certificate >> for the syncrepl process, but I can't find it. > > To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP > version 2.4. If you're running 2.3 or earlier than it is not possible, Yep I missed the reliance on 2.4 > period. Since the manpage you quoted in another message did not show the > required suboptions, you apparently aren't running 2.4. Your choices now > are to either: > A) upgrade to 2.4 and use the new suboptions, or trying to track down a .deb 2.4 > B) continue to use the same cert for the two 'scenarios' you gave above. doing that in the interim > > >> Maybe its in saslmech option. > > The saslmech suboption has no effect on the cert used. (Why would it? SASL > is logically at the layer above SSL.) I asked because I wasn't sure, nothing else seemed obvious > > > Philip Guenther > -- Mulder: Either we're dealing with a psychotic religious fanatic who's hell bent on exposing these kinds of frauds, or a less pragmatic psycho who harbours a murderous resentment towards the church, or maybe it's just a... uh... very disgruntled altar boy. "The X-Files: Revelations"
Attachment:
signature.asc
Description: Digital signature