We have an internal certificate authority which issues certificates to us. The authority provides certificates as a single file containing the certificate, the CA certificate (or chain) and the private key. We have no control over this, but I have forwarded the concern over the single file approach that Howard brought up previously to my CA team.
Based on the input to this chain, we will start using separate certificates for the server and client.
I do spend a fair amount of time in the OpenLDAP documentation, especially prior to resorting to the mailing list. This time around, I didn't see the answers I needed in the Admin Guide. I'll go back and look again. If it's still not clear I'd be happy to help out with the documentation.
Thanks everyone,
Craig
-----Original Message----- From: openldap-software-bounces+worganc=nortel.com@openldap.org [mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On Behalf Of Howard Chu Sent: Friday, February 27, 2009 6:06 PM To: Brian A. Seklecki Cc: Worgan, Craig (BVW:9T16); openldap-software@openldap.org Subject: Re: Single-master replication over TLS fails in 2.4.15
Brian A. Seklecki wrote:
On Thu, 2009-02-26 at 14:56 -0800, Howard Chu wrote:
In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server certificate settings (TLS*), if any?
That's already explicitly stated in the slapd.conf(5) manpage.
If so, I'm confused as to why it failed for me originally.
I have no idea, it works for me.
Meh!
Craig: Try issuing two certs for your replica. One for the "server" services, one for the "client" service.
Sign them both by the same Root CA, or two different intermediary
CAs
(which you can daisy chain), but differentiate them with Netscape Certificate Use extensions for your own reference
You're assuming he even has a CA cert. From the looks of it, he's using a single self-signed cert for everything. The Admin Guide already tells you to use a CA cert and separate server and client certs, but some people just don't seem to bother reading or following docs. All the documentation in the world is useless if nobody pays any attention.