I did not, as I didn't see it in the specification (although I didn't read the source code or the man page for slapd.conf) If I look at the man page I see there is an option starttls=yes. I tried that on the slave and sniffed, and VIOLA, I can see the TLS do the handshake for the certificate.
If someone can update the Admin guide to include the starttls option that would be cool . Below is what is posted in the admin23 doc and the man page from 2.3.xx is below that. (I remember now why I love MAN pages) Thanks Quanah.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] [searchbase=<base DN>] [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [bindmethod=simple|sasl] [binddn=<DN>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>]
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] searchbase=<base DN> [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [starttls=yes|critical] [bindmethod=simple| sasl] [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] [logbase=<base DN>] [logfilter=<filter str>] [syncdata=default|accesslog|changelog]
On Dec 20, 2007, at 2:09 PM, Quanah Gibson-Mount wrote:
Did you add the startTLS directive to your syncrepl configuration?
--Quanah
--On December 20, 2007 2:02:05 PM -0500 "Chris G. Sellers" chris.sellers@nitle.org wrote:
No - I didn't understand you correctly. I switched back to
ldap://:389
and sniffed and it was all there in the clear.
I need to encrypt the communication (and binding) of the
replication from
the Master to the Slave. I can not seem to get it to work and I
can't
find the documentation where it shows how to set the replication
for the
syncrepl to be SSL or TLS.
Sellers
On Dec 20, 2007, at 1:22 PM, Chris G. Sellers wrote:
I think I see what you are saying. The ldaps: is forcing the
implied
SSL not startTLS. Thanks for making me think different.
so now I just need to switch back to ldap:// and make sure TLS is
setup
and sniff to make sure the traffic is encrypted.
Thanks
Sellers
On Dec 20, 2007, at 11:54 AM, Quanah Gibson-Mount wrote:
--On December 20, 2007 11:03:44 AM -0500 "Chris G. Sellers" chris.sellers@nitle.org wrote:
which suggests that the connection could not be made on port
389 via
TLS.
I can't figure out how to tell the repl connection to send a
certificate.
Do I have to setup a user in LDAP with a cert? Do I put a
client cert
into the syncrepl section of the slapd.conf file on the
slave? Please
advise.
You are confused. LDAPv3 startTLS is used to encrypt connections
over port
389 (or other ports). The Ldapv2 HACK to do TLS over port 636
(ldaps://)
is the other way of doing SSL encryption. You are mixing these
two very
different mechanisms.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
______________________________________________ Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com