Hi
I am trying to build a network of ldap nodes sync with syncrepl using x509 certificates.
I ran into a problem when I setup the first slace node, I create a certificate that did not have SSL Client purpose, but did have SSL Server purpose - I am presuming it is this, because 2 certificates made exactly the same way, 1 fails - the non SSL Client and the other works the one that has the SSL Client purpose.
I am presuming that I need both purposes SSL Server and SSL Client - the former to allow ldaps usage and the later for making ldap request and being a client in a syncrepl scenario.
Is there
a) a way to specify another certificate to use in the syncrepl config b) a way to not check for the SSL Client purpose in the certificate
For now I am going to create on that has both purposes ...
Alex
Alex Samad wrote:
Hi
I am trying to build a network of ldap nodes sync with syncrepl using x509 certificates.
I ran into a problem when I setup the first slace node, I create a certificate that did not have SSL Client purpose, but did have SSL Server purpose - I am presuming it is this, because 2 certificates made exactly the same way, 1 fails
- the non SSL Client and the other works the one that has the SSL Client purpose.
I am presuming that I need both purposes SSL Server and SSL Client - the former to allow ldaps usage and the later for making ldap request and being a client in a syncrepl scenario.
Is there
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
b) a way to not check for the SSL Client purpose in the certificate
That's a function of the SSL library; I would guess not.
For now I am going to create on that has both purposes ...
Alex
On Sun, Jan 20, 2008 at 07:45:06PM -0800, Howard Chu wrote:
Alex Samad wrote:
Hi
I am trying to build a network of ldap nodes sync with syncrepl using x509 certificates.
I ran into a problem when I setup the first slace node, I create a certificate that did not have SSL Client purpose, but did have SSL Server purpose - I am presuming it is this, because 2 certificates made exactly the same way, 1 fails
- the non SSL Client and the other works the one that has the SSL Client purpose.
I am presuming that I need both purposes SSL Server and SSL Client - the former to allow ldaps usage and the later for making ldap request and being a client in a syncrepl scenario.
Is there
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] searchbase=<base DN> [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [starttls=yes|critical] [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] [logbase=<base DN>] [logfilter=<filter str>] [syncdata=default|accesslog|changelog] Specify the current database as a replica which is kept up-to-date with the master content by establishing the current slapd(8) as a replication consumer site running a syncrepl replication engine. The replica content is kept synchronized to the master content using the LDAP Content Synchronization protocol. Refer to the "OpenLDAP Administrator’s Guide" for detailed information on setting up a replicated slapd directory service using the syncrepl replication engine. rid identifies the current syncrepl directive within the replication consumer site. It is a non-negative integer having no more than three digits. provider specifies the replication provider site containing the master content as an LDAP URI. If <port> is not given, the standard LDAP port number (389 or 636) is used. The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes searchbase, scope, filter, attrs, attrsonly, sizelimit, and timelimit parameters as in the normal search specification. The scope defaults to sub, the filter defaults to (objectclass=*), and there is no default searchbase. The attrs list defaults to "*,+" to return all user and operational attributes, and attrsonly is unset by default. The sizelimit and timelimit only accept "unlimited" and positive integers, and both default to "unlimited". The LDAP Content Synchronization protocol has two operation types. In the refreshOnly operation, the next synchronization search operation is periodically rescheduled at an interval time (specified by interval parameter; 1 day by default) after each synchronization operation finishes. In the refreshAndPersist operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate searchResultEntry to the consumer slapd as the search responses to the persistent synchronization search. If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next 3 times before stop retrying. The ‘+’ in <# of retries> means indefinite number of retries until success. The schema checking can be enforced at the LDAP Sync consumer site by turning on the schemachecking parameter. The default is off. The starttls parameter specifies use of the StartTLS extended operation to establish a TLS session before Binding to the provider. If the StartTLS request fails and the critical argument was used, the session will be aborted. Otherwise the syncrepl session continues without TLS. A bindmethod of simple requires the options binddn and credentials and should only be used when adequate security services (e.g. TLS or IPSEC) are in place. REMEMBER: simple bind credentials must be in cleartext! A bindmethod of sasl requires the option saslmech. Depending on the mechanism, an authentication identity and/or credentials can be specified using authcid and credentials. The authzid parameter may be used to specify an authorization identity. Specific security properties (as with the sasl-secprops keyword above) for a SASL bind can be set with the secprops option. A non default SASL realm can be set with the realm option.
Rather than replicating whole entries, the consumer can query logs of data modifications. This mode of operation is referred to as delta syncrepl. In addition to the above parameters, the logbase and logfilter parameters must be set appropriately for the log that will be used. The syncdata parameter must be set to either "accesslog" if the log conforms to the slapo-accesslog(5) log format, or "changelog" if the log conforms to the obsolete changelog format. If the syncdata parameter is omitted or set to "default" then the log parameters are ignored.
This is the syncrep section of my man page for openssl.conf. Sorry but I can't find the section that tells me where to point to a different certificate file. I use TLSCertificateFile to point to the certificate that is used for the ldaps:// part ie acting as a server.
b) a way to not check for the SSL Client purpose in the certificate
That's a function of the SSL library; I would guess not.
For now I am going to create on that has both purposes ...
Alex
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Alex Samad wrote:
On Sun, Jan 20, 2008 at 07:45:06PM -0800, Howard Chu wrote:
Alex Samad wrote:
Is there
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss]
This is the syncrep section of my man page for openssl.conf. Sorry but I can't find the section that tells me where to point to a different certificate file. I use TLSCertificateFile to point to the certificate that is used for the ldaps:// part ie acting as a server.
Learn how to type, or learn how to read. "openssl.conf" has nothing to do with this question. The text you quoted above is not the text from the current OpenLDAP 2.4 man pages. Pay attention to the details, otherwise you just waste your time and ours.
On Mon, Jan 21, 2008 at 04:26:53AM -0800, Howard Chu wrote:
Alex Samad wrote:
On Sun, Jan 20, 2008 at 07:45:06PM -0800, Howard Chu wrote:
Alex Samad wrote:
Is there
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss]
This is the syncrep section of my man page for openssl.conf. Sorry but I can't find the section that tells me where to point to a different certificate file. I use TLSCertificateFile to point to the certificate that is used for the ldaps:// part ie acting as a server.
Learn how to type, or learn how to read. "openssl.conf" has nothing to do with this question. The text you quoted above is not the text from the current OpenLDAP 2.4 man pages. Pay attention to the details, otherwise you just waste your time and ours.
yes your right, I type openssl.conf instead of slapd.conf. and it is the man page from openldap 2.3
Just for the archives, the link to the 2.4 man page for slapd.conf http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&...
And seem like there syncrepl was change from 2.3 to 2.4
Thanks
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
With 2.3, if a different cn is needed for the ldaps server and the syncrepl client, a certificate with subjectAltName may help.
On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
With 2.3, if a different cn is needed for the ldaps server and the syncrepl client, a certificate with subjectAltName may help.
its not the name.
There seems to be 2 scenario's that a cert is used,
1) as a server to verify that you have connected to the right machine and to ensure you packets are encrypted. This requires a certificate with purpose SSL Server 2) as a client when a ldap server in a syncrepl setup is talking to the master server. This requires a certificate with purpose SSL Client.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it. Maybe its in saslmech option.
Alex
-- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@netbsd.org
Hi,
Alex Samad alex@samad.com.au writes:
On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
With 2.3, if a different cn is needed for the ldaps server and the syncrepl client, a certificate with subjectAltName may help.
its not the name.
There seems to be 2 scenario's that a cert is used,
- as a server to verify that you have connected to the right machine and to
ensure you packets are encrypted. This requires a certificate with purpose SSL Server 2) as a client when a ldap server in a syncrepl setup is talking to the master server. This requires a certificate with purpose SSL Client.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it. Maybe its in saslmech option.
You may use the sasl external mechanism and create a certificate with a DN matching the bindDN (although you don't have to define a binddn).
-Dieter
On Mon, Jan 21, 2008 at 08:20:49PM +0100, Dieter Kluenter wrote:
Hi,
Alex Samad alex@samad.com.au writes:
On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
[snip]
I am trying to find out if it is possible to use a different
certificate
for the syncrepl process, but I can't find it. Maybe its in saslmech option.
You may use the sasl external mechanism and create a certificate with a DN matching the bindDN (although you don't have to define a binddn).
Yep I have this setup. Seems like there is a bit of difference between 2.3 and 2.4. I am on Debian etch, which is currently on 2.3. In 2.4 there are provisions to specify the cert actually used for the syncrepl connection! This doesn't seem to be possible in 2.3
-Dieter
-- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
On Mon, 21 Jan 2008, Alex Samad wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
...
There seems to be 2 scenario's that a cert is used,
- as a server to verify that you have connected to the right machine
and to ensure you packets are encrypted. This requires a certificate with purpose SSL Server
- as a client when a ldap server in a syncrepl setup is talking to the
master server. This requires a certificate with purpose SSL Client.
Correct.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it.
To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP version 2.4. If you're running 2.3 or earlier than it is not possible, period. Since the manpage you quoted in another message did not show the required suboptions, you apparently aren't running 2.4. Your choices now are to either: A) upgrade to 2.4 and use the new suboptions, or B) continue to use the same cert for the two 'scenarios' you gave above.
Maybe its in saslmech option.
The saslmech suboption has no effect on the cert used. (Why would it? SASL is logically at the layer above SSL.)
Philip Guenther
On Mon, Jan 21, 2008 at 04:53:15PM -0700, Philip Guenther wrote:
On Mon, 21 Jan 2008, Alex Samad wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
...
There seems to be 2 scenario's that a cert is used,
- as a server to verify that you have connected to the right machine and
to ensure you packets are encrypted. This requires a certificate with purpose SSL Server
- as a client when a ldap server in a syncrepl setup is talking to the
master server. This requires a certificate with purpose SSL Client.
Correct.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it.
To repeat what Howard wrote: it is possible, but *ONLY* with OpenLDAP version 2.4. If you're running 2.3 or earlier than it is not possible,
Yep I missed the reliance on 2.4
period. Since the manpage you quoted in another message did not show the required suboptions, you apparently aren't running 2.4. Your choices now are to either: A) upgrade to 2.4 and use the new suboptions, or
trying to track down a .deb 2.4
B) continue to use the same cert for the two 'scenarios' you gave above.
doing that in the interim
Maybe its in saslmech option.
The saslmech suboption has no effect on the cert used. (Why would it? SASL is logically at the layer above SSL.)
I asked because I wasn't sure, nothing else seemed obvious
Philip Guenther
openldap-software@openldap.org
-
Alex Samad -
Dieter Kluenter -
Howard Chu -
manu@netbsd.org -
Philip Guenther