----- Original Message ----- From: "Howard Chu" hyc@symas.com To: "k bah" kbah@linuxmail.org Subject: Re: LDAP Replication +TLS +Self-signed certificate. Date: Fri, 15 Aug 2008 03:34:19 -0700
k bah wrote:
Hi,
I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master and the last the ldap slave. Configuration on both master and slave slapd.conf had:
TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
That sounds like a correct configuration.
Now I changed the certificates, both the Master and Slave machines use self signed certificates, I changed the certificates/tls config on several services that used it, they work fine, but LDAP replication stopped working.
That is a bad configuration. The old saying applies - "if it ain't broke, don't fix it." Your original config was fine...
I tried this (and I guess it makes sense):
LDAP Master slapd.conf:
TLSCertificateFile /etc/openldap/ldap-master-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-master-key.key TLSCACertificateFile /etc/openldap/ldap-master-cert.crt
LDAP Slave slapd.conf:
TLSCertificateFile /etc/openldap/ldap-slave-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-slave-key.key TLSCACertificateFile /etc/openldap/ldap-slave-cert.crt
LDAP Master ldap.conf:
TLS_CACERT /etc/openldap/ldap-slave-cert.crt (Since when replicating, the master server acts as a client to the ldap slave server, right?) Quoting the slurpd man page: "Note that slurpd reads replication directive from slapd.conf(5), but uses ldap.conf(5) to obtain other configuration settings (such as TLS settings)."
LDAP Slave ldap.conf:
TLS_CACERT /etc/openldap/ldap-master-cert.crt (I can't figure out now why, does the LDAP slave server act as a client to the ldap master server? When?)
If you're replacing certs because they expired or some other reason, just duplicate the structure you had originally. Create one self-signed CA cert, then create your server certs and use your CA cert to sign all the other certs. Then distribute your CA cert to all the client machines as usual.
= Don't Just See Alaska, Experience It Active, Informative, Fun! Alaska Adventure Tours. Live Large. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=3fac59fd070fca088e31eea0...