Hi,

I have LDAP replication setup (slurpd), works fine. Until a while ago I had a CA certificate, and with that one I signed other two certificates, for two different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master and the last the ldap slave. Configuration on both master and slave slapd.conf had:

TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt

Now I changed the certificates, both the Master and Slave machines use self signed certificates, I changed the certificates/tls config on several services that used it, they work fine, but LDAP replication stopped working.

1) To be clear (in order to have LDAP replication working with self signed certs + TLS on):

Master machine slapd.conf:

TLSCertificateFile /etc/openldap/master-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/master-machine-key.key TLSCACertificateFile /etc/openldap/master-machine-certificate.crt

Master machine ldap.conf:

TLS_REQCERT allow TLS_CACERT /etc/openldap/master-machine-certificate.crt (DOES IT MATTER IF THIS MACHINE ONLY ACTS AS SERVER?)

Slave machine slapd.conf:

TLSCertificateFile /etc/openldap/slave-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/slave-machine-key.key TLSCACertificateFile /etc/openldap/slave-machine-certificate.crt (as this option on slapd.conf is for the -server- part of the slave, right?)

Slave machine ldap.conf:

TLS_REQCERT allow TLS_CACERT ?????

2) Second question, on other machines that run LDAP clients, I should put what in ldap.conf (/etc/openldap/ldap.conf) for the TLS_CACERT option? Leave it blank, use the ldap master machine certificate or, if that machine queries the slave ldap machine, the slave ldap machine certificate for the ldap.conf TLS_CACERT option?

thanks a lot!

= Search for products and services at: http://search.mail.com