RUMI Szabolcs <[EMAIL PROTECTED]> writes: > Hello! > > On Thu, 20 Dec 2007 11:03:44 -0500 > "Chris G. Sellers" <[EMAIL PROTECTED]> wrote: > >> I have setup sync replication on two OpenLDAP servers. I have it >> successfully working via ldap://:389 >> >> I then setup TLS for SSL connections. I used a self signed cert >> (using the OpenLDAP how-to) as well as a CAsigned cert from >> cacert.org. I've setup the ca.crt in the ldap.conf file on both >> the master and slave. I've also setup the ca.cert in the TLS for >> the master server that the sync repl host connects to. >> >> I've tested the cert with a connection via ldap -Z and -d debug >> option and seen that the cert appears to be validated. >> >> So, when I turn on ldaps:// for the syncrepl section of the slave >> server, and use port 389 I get a bind error
ldaps:// is a server initiated tls session, while starttls on ldap:// is a client initiated tls session. Don't forget that syncrepl is a client connection to the server. [...] >> which suggests that the connection could not be made on port 389 via >> TLS. I can't figure out how to tell the repl connection to send a >> certificate. Do I have to setup a user in LDAP with a cert? Do I >> put a client cert into the syncrepl section of the slapd.conf file >> on the slave? Please advise. as already mentioned, syncrepl is a client operation, thus ldap.conf(5) would be applicable, but slapd.conf(5) has in addition configuration parameters, just search for syncrepl. > Indeed, I have also found that in the OpenLDAP documentation there > are no directions about what kind of cert should be used for a syncrepl > consumer, nor about how they could be specified - one may guess that > one has to use the tls-related suboptions of the syncrepl option but > there are no directions, no examples, no nothing. And then it does not > work in the first place and does not have usable log or even debug > output either... read the docs carefully! And think twice! [...] > When I set up normal SSL with provider="ldaps://<host>:636" then I > simply get the same error you're getting and even with debug mode > I could not get any details about the TLS/SSL handshake or what > exactly the problem is. First test with openssl tools, like s_client(1). > IMHO it is extremely harsh how the self-signed certs are treated by > OpenLDAP. In the majority of cases this is forcing people (after many > hours of struggling) to use "TLS_REQCERT never" or similar settings, > which ends up being a lot more insecure than it would be to accept a > known self-signed cert... Not to mention that the syncrepl suboption > "tls_reqcert=never" is apparently ignored so practically I've found > that syncrepl is currently inoperable with any form of encryption. > Is there anybody who could tell me what this is good for? I do understand your frustration, but that is mostly due to not reading the proper documentation. Forget about google, the only relevant source of information is: http://www.openssl.org/docs/ I have no problems creating a valid certificate chain with the openssl tools, just modify openssl.cnf to your requirements: ./CA.pl -newca ./Ca.pl -newreq ./CA.pl -sign openssl rsa -in newreq.pem -out mykey.pem mv newcert.pem mycert.pem ./CA.pl -verify mycert.pem -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
