On Friday, 26 November 2010 11:26:46 Konstantin Boyandin wrote:
Hello,
I am using primary/secondary LDAP servers configuration, it works quite normal.
I need to make LDAP authentication secure. I.e., I need both LDAP servers to provide LDAP over SSL/TLS, so that both primary and secondary LDAP server be used (mentioned in ldap.conf).
I have to use self-signed SSL certificates,
No, you don't have to use self-signed SSL certificates, you could use a single self-signed CA certificate, and sign your LDAP servers' SSL certificates with this single self-signed CA certificate.
since the servers are located in intranet, they have no 'real' domain names.
There is no reason servers in an intranet can't have "real" domain names.
The problem is I can't figure out how to specify ldap.conf SSL parameters so that they could
- verify LDAP server certificate
- be used with both primary and secondary LDAP servers
Your options are: -1 self-signed certificate with subjectAltName extensions allowing both hostnames and/or IP addresses etc. (however, some proprietary LDAP libraries don't support that well, e.g. on Solaris).
Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware connection on the standard port?
TLS on standard port is start_tls.
Is it possible to set up slapd so that TLS be optional (for testing/transition purposes).
If you have certificates defined in your slapd configuration (e.g. TLSCertificateFile, TLSCertificateKeyFile), this should work without any further configuration on the server side.
If you want to require TLS later, see the 'security' options for slapd.conf
Regards, Buchan