On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:
In 2.4, if you configure syncrepl over TLS and omit the new options, does OpenLDAP use the values that are configured for the server certificate settings (TLS*), if any?
That's already explicitly stated in the slapd.conf(5) manpage.
If so, I'm confused as to why it failed for me originally.
I have no idea, it works for me.
Meh!
Craig: Try issuing two certs for your replica. One for the "server" services, one for the "client" service.
Sign them both by the same Root CA, or two different intermediary CAs (which you can daisy chain), but differentiate them with Netscape Certificate Use extensions for your own reference
OpenSSL.cnf:
[ v3_req_ext ] subjectAltName=email:copy nsCertType = client, email, objsign # .2 = Client, .1 = Server extendedKeyUsage = 1.3.6.1.5.5.7.3.2 # extendedKeyUsage = 1.3.6.1.5.5.7.3.1 # Other Variation extendedKeyUsage=serverAuth extendedKeyUsage=clientAuth
For example, your replica may sync with your master using a management interface which it sources its client TCP connection to the master from:
e.g., some-name.facil.organization.tld
-- The client cert will be signed with this hostname in the CN=
Then, it may serve its LDAP replia off of a "service VIP", possibly a HA/Load-Balanced IP address:
e.g., ldap.organization.tld
The Server cert can be signed with this hostname in the CN=
I'm hoping to maybe submit some massive documentation improvements that outline sound practices and affiliated recommended configurations.
~BAS