On Friday 15 August 2008 18:31:31 k bah wrote:
----- Original Message ----- From: "Howard Chu" hyc@symas.com To: "k bah" kbah@linuxmail.org Subject: Re: LDAP Replication +TLS +Self-signed certificate. Date: Fri, 15 Aug 2008 03:34:19 -0700
k bah wrote:
Hi,
I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master and the last the ldap slave. Configuration on both master and slave slapd.conf
had:
TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
That sounds like a correct configuration.
Now I changed the certificates, both the Master and Slave machines use self signed certificates, I changed the certificates/tls config on several services that used it, they work fine, but LDAP replication stopped working.
That is a bad configuration. The old saying applies - "if it ain't broke, don't fix it." Your original config was fine...
I tried this (and I guess it makes sense):
No, what you have below makes no sense. Why are you returning to an all-self- signed setup?
LDAP Master slapd.conf:
TLSCertificateFile /etc/openldap/ldap-master-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-master-key.key TLSCACertificateFile /etc/openldap/ldap-master-cert.crt
LDAP Slave slapd.conf:
TLSCertificateFile /etc/openldap/ldap-slave-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-slave-key.key TLSCACertificateFile /etc/openldap/ldap-slave-cert.crt
LDAP Master ldap.conf:
TLS_CACERT /etc/openldap/ldap-slave-cert.crt (Since when replicating, the master server acts as a client to the ldap slave server, right?) Quoting the slurpd man page: "Note that slurpd reads replication directive from slapd.conf(5), but uses ldap.conf(5) to obtain other configuration settings (such as TLS settings)."
Why are you using slurpd ?
LDAP Slave ldap.conf:
TLS_CACERT /etc/openldap/ldap-master-cert.crt (I can't figure out now why, does the LDAP slave server act as a client to the ldap master server? When?)
If you use any feature that requires the slave to connect to the master, including sync-repl replication, the chain overlay, or (possibly) the ldap or meta backends, this would depend entirely on your configuration, of which you have supplied relatively little.
If you're replacing certs because they expired or some other reason, just duplicate the structure you had originally. Create one self-signed CA cert, then create your server certs and use your CA cert to sign all the other certs. Then distribute your CA cert to all the client machines as usual.
Note that the "CA certificate" that you configure in the OpenLDAP ldap.conf file needs to be sufficient to validate the certificate of any of the LDAP servers you will connect to with SSL or START_TLS and certificate validation. If you are using self-signed certificates, you should then concatenate the certificates for all your LDAP servers on all your LDAP clients (and update all the clients whenever any of the certificates is renewed or changed). This is quite tedious once you have a significant number of servers and clients, which is why a CA certificate is used in any situation with more than a few servers ...
Regards, Buchan