[email protected] wrote: > Full_Name: Jan Vcelak > Version: master > OS: Linux > URL: > ftp://ftp.openldap.org/incoming/jvcelak-20110912-syncrepl-allow-unsetting-of-tls-options.patch > Submission from: (NULL) (209.132.186.34) > > > Hello, > > I'm just passing a patch submitted to our bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=734187 > > To sum it up: If tls_cert/tls_key syncrepl options are not specified, server > setting is inherited and used. According to various reports on the Internet, > this is a feature, not a bug.
Relying on hearsay "According to various reports on the Internet" is a stupid way to get information, particularly when it's already documented in the slapd.conf(5) and slapd-config(5) manpages. > However it forces a replica to use a client > certificate for authentication, because the tls_cert and tls_key options can > not > be disabled. > > The patch allows tls_* options to be disabled, like this: "tls_cert=" > Without the patch, "file not found" error will occur. > The patch is written by the submitter of the bug report - Patrick Monnerat (pm > at datasphere dot ch). Thanks for passing along the report, but I'm not convinced this is a legitimate issue. Servers that trust each other for replication should accept each other's TLS certificates. As I see it, if their certs aren't working in this configuration then their certificates were created with the wrong usage flags, and this is not an OpenLDAP issue. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
