Re: (ITS#7042) [PATCH] allow unsetting of tls_* options for syncrepl

Monday, 12 September 2011

jvcelak(a)redhat.com wrote:
...
 Full_Name: Jan Vcelak
 Version: master
 OS: Linux
 URL:
ftp://ftp.openldap.org/incoming/jvcelak-20110912-syncrepl-allow-unsetting...
 Submission from: (NULL) (209.132.186.34)

 Hello,

 I'm just passing a patch submitted to our bugzilla:
 https://bugzilla.redhat.com/show_bug.cgi?id=734187

 To sum it up: If tls_cert/tls_key syncrepl options are not specified, server
 setting is inherited and used. According to various reports on the Internet,
 this is a feature, not a bug. 
Relying on hearsay "According to various reports on the Internet" is a stupid 
way to get information, particularly when it's already documented in the 
slapd.conf(5) and slapd-config(5) manpages.

...
 However it forces a replica to use a client
 certificate for authentication, because the tls_cert and tls_key options can not
 be disabled.

 The patch allows tls_* options to be disabled, like this: "tls_cert="
 Without the patch, "file not found" error will occur. 
...
 The patch is written by the submitter of the bug report - Patrick
Monnerat (pm
 at datasphere dot ch). 
Thanks for passing along the report, but I'm not convinced this is a 
legitimate issue. Servers that trust each other for replication should accept 
each other's TLS certificates. As I see it, if their certs aren't working in 
this configuration then their certificates were created with the wrong usage 
flags, and this is not an OpenLDAP issue.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006