[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Secure replication

To: "Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Secure replication
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 6 May 2017 14:29:00 +0200
In-reply-to: <803F62B0-3320-4C59-A3FD-DFDF86B8ED61@jpl.nasa.gov>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <803F62B0-3320-4C59-A3FD-DFDF86B8ED61@jpl.nasa.gov>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 SeaMonkey/2.48

Real, Elizabeth (392K) wrote:
> I’m running multi-master OpenLDAP (version 2.4.40) servers and need to secure
> replication. Can you point me to where I can find that information? What I found online
> is old and does not apply to the version I’m running.

The term "secure replication" is a bit blurry.

In general I setup replication like this:
- TLS everywhere => every replica has server cert
- use the *individual* server certs as client certs for authenticating replicas
- use SASL/EXTERNAL with authz-regexp mapping to map to distinct replica entry
- use an LDAP group entry for replication ACLs
- tighten TLS protocol to 1.2
- set cipher settings to use perfect-forward secrecy (PFS)

YMMV

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Secure replication
  - From: "Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.gov>

Prev by Date: Re: Secure replication
Next by Date: Interpreting RFC 2849
Index(es):
- Chronological
- Thread