On Thu, 20 Dec 2007 12:08:16 -0800
Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> IMHO it is extremely harsh how the self-signed certs are treated
> OpenLDAP. In the majority of cases this is forcing people (after
> many hours of struggling) to use "TLS_REQCERT never" or similar
> settings, which ends up being a lot more insecure than it would be
> to accept a known self-signed cert... Not to mention that the
> syncrepl suboption "tls_reqcert=never" is apparently ignored so
> practically I've found that syncrepl is currently inoperable with
> any form of encryption. Is there anybody who could tell me what
> this is good for?
Interestingly, plenty of people have gotten this to work. First, you
need to know how to create self-signed certs using a CA. Of course,
that's really off-topic for the OpenLDAP list, even though it has
been discussed many times. But until you know how to get that
working, you won't be able to get the syncrepl client to work, either.
I'm using certificates I've generated since many years with a lot of
software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN,
etc. and all of these are working seamlessly, with the exception of
OpenLDAP. It's not only me who's struggling, just Google around if
you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP
suggests that I have to use "TLS_REQCERT never" with self-signed
certificates or else TLS won't work. And they're right.
To a proper self-signed certificate OpenLDAP simply says "self-signed
certificate in certificate chain" or something like that and TLS/SSL
handshake fails with an error.
And when I set "TLS_REQCERT never", ldapsearch and other clients
start working instantly both with SSL and STARTTLS but syncrepl
still doesn't. Maybe it doesn't honor the ldap.conf settings,
maybe something else is the problem, I couldn't find out so far,
but I just suspect it might be with TLS because if TLS is allowed
to fail then it does work with plaintext.