--On Tuesday, May 09, 2017 2:11 AM +0000 "Real, Elizabeth (392K)" Elizabeth.Real@jpl.nasa.gov wrote:
Hi Elizabeth,
If "ldap://" is secure already then I do not need to proceed further.
That says nothing about whether or not your configuration is secure. Again, if it is "ldap://" with the startTLS LDAPv3 extension, and you've configured it be required that it succeed, then it is secure. You've not provided the information that would be necessary to make such a determination. I would again advise reading the slapd-config(5) man page for the olcSyncRepl attribute, specifically the bits on the starttls, tls_cacert/tls_cacertdir, tls_cipher_suite, and tls_protocol_min configuration parameters.
You may also want to set olcSecurity (A value of "ssf=1" requires any and all connections to the server be encrypted). Changing this value from the default requires a server restart for it to go into effect.
SSLv3 TLSv1.2
Those look like protocol versions, not cipher suites. ;)
Why is version 2.4.40 unsafe for multi-master replication? I can upgrade at a later time I just wanted to find out how to enable ldaps between the two servers.
You can read through the OpenLDAP Release notes here: http://www.openldap.org/software/release/changes.html
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com