[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?

To: "Gavin Henry" <ghenry@openldap.org>
Subject: Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
From: "Alberto GD" <darkxer0x@esdebian.org>
Date: Fri, 14 Nov 2008 15:24:14 +0100
Cc: openldap-software@openldap.org
In-reply-to: <8959038.101226659466280.JavaMail.root@mail>
References: <2c8076820811131551l159dbc53y923d243cb28925be@mail.gmail.com> <8959038.101226659466280.JavaMail.root@mail>

I'm newbie in mailman list, so I don't know if I'm sending this email correctly.

Tranks for your reply, and what I've understood, I have to do the following:

% cd /var/myca/

% /usr/share/ssl/misc/CA.sh -newca

This creates cacert.pem and private/cakey.pem (these files are common for all the server and clients). In The field of Common Name I have to write the ldap master server name host (i.e. ldap.dominio.com).

Now, I make a singing request for master server, slave server (replica) and clients. I execute all these command for each one changing the Common Name for the specific host name (for master server: ldap.dominio.com, for slave server (replica):replica.ldap.dominio.com, for clients: pc1.dominio.com....).
%

openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

% /usr/share/ssl/misc/CA.sh -sign

Are all OK?
Thank you very much, and if this is correct, you could add this to a FAQ of the openldap guide, because I haven't seen anything about slave servers.

2008/11/14 Gavin Henry <ghenry@openldap.org>

----- "Alberto GD" <darkxer0x@esdebian.org> wrote:

> Hi!
> I've followed openldap.org 's guide and ldap works great with TLS/SSL
> with authentication in server and clients. Now I have added a LDAP
> replica (ldap slave server), and I have some questions:
> - In the clients I had to make the certs with the server certificate
> (cacer.pem) of the master, because I check the server certificate, and
> also check the clients in the server. Now that I have a replica, I
> have to make others certs with the server certificate of the slave
> server (and how can I show two certificates to ldap.conf)?? (I
> followed this (
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.3 ) Or with the
> certificates made from server certificates its sufficient??
>
> >Step 1 and 2: Do nothing ... the CA does not need to be created
> again. The plan is to use the same CA certificate to sign the client
> certificate.

For all server and clients certs you have created or will create, just sign them
all with the CA cert you created and make sure all servers and clients get a copy
of the CA cert. That's all you need to do.

Gavin.

--
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

Follow-Ups:
- Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
  - From: Gavin Henry <ghenry@OpenLDAP.org>

References:
- Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
  - From: "Alberto GD" <darkxer0x@esdebian.org>
- Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
  - From: Gavin Henry <ghenry@OpenLDAP.org>

Prev by Date: Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
Next by Date: Re: Replica (ldap slave server) certificates (SSL/TLS). Are clients certificates needed?
Index(es):
- Chronological
- Thread