On Friday 21 December 2007 00:31:12 RUMI Szabolcs wrote:
Hello!
On Thu, 20 Dec 2007 12:08:16 -0800
Quanah Gibson-Mount quanah@zimbra.com wrote:
IMHO it is extremely harsh how the self-signed certs are treated by OpenLDAP. In the majority of cases this is forcing people (after many hours of struggling) to use "TLS_REQCERT never" or similar settings, which ends up being a lot more insecure than it would be to accept a known self-signed cert... Not to mention that the syncrepl suboption "tls_reqcert=never" is apparently ignored so practically I've found that syncrepl is currently inoperable with any form of encryption. Is there anybody who could tell me what this is good for?
Interestingly, plenty of people have gotten this to work. First, you need to know how to create self-signed certs using a CA. Of course, that's really off-topic for the OpenLDAP list, even though it has been discussed many times. But until you know how to get that working, you won't be able to get the syncrepl client to work, either.
I'm using certificates I've generated since many years with a lot of software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN, etc. and all of these are working seamlessly, with the exception of OpenLDAP.
But, why do you configure openvpn to use a certificate as CA certificate, but not your OpenLDAP clients ? Or, do you throw away half the value of SSL by disabling certificate validation on *all* of these services????
It's not only me who's struggling, just Google around if you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP suggests that I have to use "TLS_REQCERT never" with self-signed certificates or else TLS won't work. And they're right.
IMHO, the Gentoo documentation for LDAP isn't necessarily the greatest. Neither are most out-of-date HOWTOs (as there is no "WHY NOT TO", or "WHY TO" part to them).
To a proper self-signed certificate OpenLDAP simply says "self-signed certificate in certificate chain" or something like that and TLS/SSL handshake fails with an error.
For a client connection (such as syncrepl), add TLS_CACERT pointing to the certificate in your ldap.conf. In general (I haven't looked at the "TLS_REQCERT never" case), if ldapsearch works with the -ZZ flags, then syncrepl will work.
Regards, Buchan