[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Single-master replication over TLS fails in 2.4.15

To: Craig Worgan <worganc@nortel.com>
Subject: Re: Single-master replication over TLS fails in 2.4.15
From: Howard Chu <hyc@symas.com>
Date: Thu, 26 Feb 2009 14:56:30 -0800
Cc: openldap-software@openldap.org
In-reply-to: <87AC5F88F03E6249AEA68D40BD3E00BE19E45C10@zcarhxm2.corp.nortel.com>
References: <87AC5F88F03E6249AEA68D40BD3E00BE19E45678@zcarhxm2.corp.nortel.com> <49A709CF.6090700@symas.com> <87AC5F88F03E6249AEA68D40BD3E00BE19E45C10@zcarhxm2.corp.nortel.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090220 SeaMonkey/2.0a1pre Firefox/3.0.3

Craig Worgan wrote:

Hi Howard,

I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine.  Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem.  Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:

...
TLSCertificateFile 0.pem
TLSCACertificateFile 0.pem
TLSCertificateKeyFile 0.pem


Combining the private and public elements of the certs into one file is not wise.

...
syncrepl rid=983
  provider=ldaps://myhost.nortel.com:10636
  type=refreshAndPersist
  searchbase=dc=nortel,dc=com
  bindmethod=simple
  binddn=cn=someaccount,dc=nortel,dc=com
  credentials=secret
  retry="30 +"
  tls_cert=0.pem
  tls_cacert=0.pem
  tls_key=0.pem

In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any?


That's already explicitly stated in the slapd.conf(5) manpage.

If so, I'm confused as to why it
failed for me originally.


I have no idea, it works for me.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Single-master replication over TLS fails in 2.4.15
  - From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org>

References:
- Single-master replication over TLS fails in 2.4.15
  - From: "Craig Worgan" <worganc@nortel.com>
- Re: Single-master replication over TLS fails in 2.4.15
  - From: Howard Chu <hyc@symas.com>
- RE: Single-master replication over TLS fails in 2.4.15
  - From: "Craig Worgan" <worganc@nortel.com>

Prev by Date: RE: Single-master replication over TLS fails in 2.4.15
Next by Date: accesslog crashes server
Index(es):
- Chronological
- Thread