Hi,
We have a direct tunnel connection to a vendor who uses our local LDAP, when I complied Openldap I did not enable SSL. Is possible to re-compile it again with SSL enabled even if it's in production. We are moving to moving one of our in house applications to a hosted/managed but still need to authenticate with local LDAP. Vendor is asking for Secure LDAP connection.
Thanks for the help.
On Mon, 1 Oct 2012, Darouichi, Aziz wrote:
We have a direct tunnel connection to a vendor who uses our local LDAP, when I complied Openldap I did not enable SSL. Is possible to re-compile it again with SSL enabled even if it?s in production. We are moving to moving one of our in house applications to a hosted/managed but still need to authenticate with local LDAP. Vendor is asking for Secure LDAP connection.
This should be OK in theory, but that server is going to need an outage to change binaries. You can safely treat it just like any other slapd upgrade (slapcat / stop slapd / install binaries / slapadd / start slapd) or, if you're completely confident that you have all the same libraries that your current version utilizes, you should be able to just drop in the new binaries and stop/start.
There's no obligation with the TLS-aware binary to actually configure TLS, so you can even come down with your old config and then set up TLS once you come back up.
Still, I'd recommend doing a slapcat now with your existing binaries just in case, and keeping that somewhere safe. (Of course you should be doing that regardless of your upgrade timing?)
On 10/01/12 16:01 -0400, Aaron Richton wrote:
On Mon, 1 Oct 2012, Darouichi, Aziz wrote:
We have a direct tunnel connection to a vendor who uses our local LDAP, when I complied Openldap I did not enable SSL. Is possible to re-compile it again with SSL enabled even if it?s in production. We are moving to moving one of our in house applications to a hosted/managed but still need to authenticate with local LDAP. Vendor is asking for Secure LDAP connection.
You can use stunnel to listen on port 636 and act as a lightweight ldaps proxy.
This should be OK in theory, but that server is going to need an outage to change binaries. You can safely treat it just like any other slapd upgrade (slapcat / stop slapd / install binaries / slapadd / start slapd) or, if you're completely confident that you have all the same libraries that your current version utilizes, you should be able to just drop in the new binaries and stop/start.
There's no obligation with the TLS-aware binary to actually configure TLS, so you can even come down with your old config and then set up TLS once you come back up.
Still, I'd recommend doing a slapcat now with your existing binaries just in case, and keeping that somewhere safe. (Of course you should be doing that regardless of your upgrade timing?)
openldap-technical@openldap.org