On Friday 21 December 2007 00:31:12 RUMI Szabolcs wrote: > Hello! > > On Thu, 20 Dec 2007 12:08:16 -0800 > > Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote: > > > IMHO it is extremely harsh how the self-signed certs are treated by > > > OpenLDAP. In the majority of cases this is forcing people (after > > > many hours of struggling) to use "TLS_REQCERT never" or similar > > > settings, which ends up being a lot more insecure than it would be > > > to accept a known self-signed cert... Not to mention that the > > > syncrepl suboption "tls_reqcert=never" is apparently ignored so > > > practically I've found that syncrepl is currently inoperable with > > > any form of encryption. Is there anybody who could tell me what > > > this is good for? > > > > Interestingly, plenty of people have gotten this to work. First, you > > need to know how to create self-signed certs using a CA. Of course, > > that's really off-topic for the OpenLDAP list, even though it has > > been discussed many times. But until you know how to get that > > working, you won't be able to get the syncrepl client to work, either. > > I'm using certificates I've generated since many years with a lot of > software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN, > etc. and all of these are working seamlessly, with the exception of > OpenLDAP.
But, why do you configure openvpn to use a certificate as CA certificate, but not your OpenLDAP clients ? Or, do you throw away half the value of SSL by disabling certificate validation on *all* of these services???? > It's not only me who's struggling, just Google around if > you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP > suggests that I have to use "TLS_REQCERT never" with self-signed > certificates or else TLS won't work. And they're right. IMHO, the Gentoo documentation for LDAP isn't necessarily the greatest. Neither are most out-of-date HOWTOs (as there is no "WHY NOT TO", or "WHY TO" part to them). > To a proper self-signed certificate OpenLDAP simply says "self-signed > certificate in certificate chain" or something like that and TLS/SSL > handshake fails with an error. For a client connection (such as syncrepl), add TLS_CACERT pointing to the certificate in your ldap.conf. In general (I haven't looked at the "TLS_REQCERT never" case), if ldapsearch works with the -ZZ flags, then syncrepl will work. Regards, Buchan
