On Mon, Jan 21, 2008 at 04:53:15PM -0700, Philip Guenther wrote:
On Mon, 21 Jan 2008, Alex Samad wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
...
There seems to be 2 scenario's that a cert is used,
- as a server to verify that you have connected to the right machine and
to ensure you packets are encrypted. This requires a certificate with purpose SSL Server
- as a client when a ldap server in a syncrepl setup is talking to the
master server. This requires a certificate with purpose SSL Client.
Correct.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it.
To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP version 2.4. If you're running 2.3 or earlier than it is not possible,
Yep I missed the reliance on 2.4
period. Since the manpage you quoted in another message did not show the required suboptions, you apparently aren't running 2.4. Your choices now are to either: A) upgrade to 2.4 and use the new suboptions, or
trying to track down a .deb 2.4
B) continue to use the same cert for the two 'scenarios' you gave above.
doing that in the interim
Maybe its in saslmech option.
The saslmech suboption has no effect on the cert used. (Why would it? SASL is logically at the layer above SSL.)
I asked because I wasn't sure, nothing else seemed obvious
Philip Guenther