On 10/23/18 8:44 PM, Jean-Francois Malouin wrote:
Right now I have 2 Debian Stretch 9.5 servers running 2.4.46 from the stretch backports. Servers are in a MMR setup, using syncrepl for replication (NOT delta-syncrepl), with a LMDB backend.
The intent is to use the directory as a users authentication repository for a 100+ workstations-- with what I said above, would such a setup considered safe? Am I asking for trouble down the road with version 2.4.46?
It should work.
Finally, should I rather consider the LTB project for Debian OpenLDAP as been mentioned in some other threads rather than using the Debian backports? I'm a bit reluctant to roll my own packaging from source.
The recommendation for LTB builds have two reasons:
1. At some times Debian packages were far behind OpenLDAP's releases while LTB package updates are most times published a couple of days after an OpenLDAP release.
2. Debian, and only Debian, links OpenLDAP with GNUTLS because they have some old licensing paranoia regarding OpenSSL. This caused trouble in the past. Forgot the details, not sure about the current state.
Bear in mind on Debian: The GNUTLS wrapper in OpenLDAP does not return TLS related error messages as diagnostic message to the client. So if cert validation fails at the client side the only message you see is "Server Down". People then look for connection problems and do not get the idea to look after cert config error. The OpenSSL wrapper returns a text message from the OpenSSL libs as diagnostic message.
Sorry for the very naive questions, I'm still fairly new to OpenLDAP!
Your questions are not naive. You're welcome asking here.
Ciao, Michael.