I did not, as I didn't see it in the specification (although I didn't
read the source code or the man page for slapd.conf) If I look at
the man page I see there is an option starttls=yes. I tried that on
the slave and sniffed, and VIOLA, I can see the TLS do the handshake
for the certificate.
If someone can update the Admin guide to include the starttls option
that would be cool .
Below is what is posted in the admin23 doc and the man page from
2.3.xx is below that. (I remember now why I love MAN pages) Thanks
Quanah.
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss]
[retry=[<retry
interval> <# of retries>]+] searchbase=<base DN>
[filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>] [timelimit=<limit>]
[schemachecking=on|off] [starttls=yes|critical] [bindmethod=simple|
sasl] [binddn=<dn>]
[saslmech=<mech>] [authcid=<identity>]
[authzid=<identity>] [credentials=<passwd>] [realm=<realm>]
[secprops=<properties>]
[logbase=<base DN>] [logfilter=<filter str>]
[syncdata=default|accesslog|changelog]
On Dec 20, 2007, at 2:09 PM, Quanah Gibson-Mount wrote:
Did you add the startTLS directive to your syncrepl configuration?
--Quanah
--On December 20, 2007 2:02:05 PM -0500 "Chris G. Sellers"
<[EMAIL PROTECTED]> wrote:
> No - I didn't understand you correctly. I switched back to
ldap://:389
> and sniffed and it was all there in the clear.
>
>
> I need to encrypt the communication (and binding) of the
replication from
> the Master to the Slave. I can not seem to get it to work and I
can't
> find the documentation where it shows how to set the replication
for the
> syncrepl to be SSL or TLS.
>
>
> Sellers
>
>
>
> On Dec 20, 2007, at 1:22 PM, Chris G. Sellers wrote:
>
>
> I think I see what you are saying. The ldaps: is forcing the
implied
> SSL not startTLS. Thanks for making me think different.
>
>
> so now I just need to switch back to ldap:// and make sure TLS is
setup
> and sniff to make sure the traffic is encrypted.
>
>
> Thanks
>
>
> Sellers
>
>
>
> On Dec 20, 2007, at 11:54 AM, Quanah Gibson-Mount wrote:
>
>
>
>
>
> --On December 20, 2007 11:03:44 AM -0500 "Chris G. Sellers"
> <[EMAIL PROTECTED]> wrote:
> > which suggests that the connection could not be made on port
389 via
> TLS.
> > I can't figure out how to tell the repl connection to send a
> certificate.
> > Do I have to setup a user in LDAP with a cert? Do I put a
client cert
> > into the syncrepl section of the slapd.conf file on the
slave? Please
> > advise.
>
> You are confused. LDAPv3 startTLS is used to encrypt connections
over port
> 389 (or other ports). The Ldapv2 HACK to do TLS over port 636
(ldaps://)
> is the other way of doing SSL encryption. You are mixing these
two very
> different mechanisms.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
>
>
>
>
> ______________________________________________
> Chris G. Sellers | NITLE Technology
> 734.661.2318 | [EMAIL PROTECTED]
> AIM: imthewherd | GTalk: [EMAIL PROTECTED]
>
>
>
>
>
> ______________________________________________
> Chris G. Sellers | NITLE Technology
> 734.661.2318 | [EMAIL PROTECTED]
> AIM: imthewherd | GTalk: [EMAIL PROTECTED]
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
______________________________________________
Chris G. Sellers | NITLE Technology
734.661.2318 | [EMAIL PROTECTED]
AIM: imthewherd | GTalk: [EMAIL PROTECTED]
