On 2013.07.31 06.36, Tony Davis wrote:
I wonder if anyone can help me with a question I have regarding an
openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple
bind method, which stores a password for the replication in the config.
(This works) but I wondered if there was a way to have this replication
take place using ssl certificates without the need to store the unhashed
password in the slapd.conf? Is this possible? or do I still have to
specify a replication user and pass, but all the auth takes place over ssl?
you are talking about two different things. one is encryption, and one
making some basic assumptions [e.g. that the provider is properly
configured for encryption], using starttls means that communication is
encrypted, regardless of how you might be authenticating or what sasl
mechanism might be in use.
as far authentication goes, if you want to do certificate based
authentication, first read the section in the admin guide which covers
this [chapter 16. using tls]. then, use ldapsearch or friends for the
exercise of set up and testing of the provider. once that is working,
translate those settings to the consumer syncrepl config element.
on a related note, the tls_cert/tls_key syncrepl settings are to specify
the key and cert of the client [e.g. the consumer]. not the provider.
those files are what the consumer will use when authenticating to the
provider via certificates.