[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Replication +TLS +Self-signed certificate.
k bah wrote:
Hi,
I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two
different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master
and the last the ldap slave. Configuration on both master and slave slapd.conf
had:
TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt
TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key
TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
That sounds like a correct configuration.
Now I changed the certificates, both the Master and Slave machines use self
signed certificates, I changed the certificates/tls config on several
services that used it, they work fine, but LDAP replication stopped
working.
That is a bad configuration. The old saying applies - "if it ain't broke,
don't fix it." Your original config was fine...
If you're replacing certs because they expired or some other reason, just
duplicate the structure you had originally. Create one self-signed CA cert,
then create your server certs and use your CA cert to sign all the other
certs. Then distribute your CA cert to all the client machines as usual.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/