Hey guys,
I’m running multi-master OpenLDAP (version 2.4.40) servers and need to secure replication. Can you point me to where I can find that information? What I found online is old and does not apply to the version I’m running.
The olcSyncRepl directive on both systems needs to go from: olcSyncRepl: rid=001 provider=ldap to: olcSyncRepl: rid=001 provider=ldaps
Thank you, Liz
On 05/06/2017 02:56 AM, Real, Elizabeth (392K) wrote:
Hey guys,
I’m running multi-master OpenLDAP (version 2.4.40) servers and need to secure replication. Can you point me to where I can find that information? What I found online is old and does not apply to the version I’m running.
The olcSyncRepl directive on both systems needs to go from: olcSyncRepl: rid=001 provider=ldap to: olcSyncRepl: rid=001 provider=ldaps
Thank you, Liz
Hi,
First you'll need to generate ssl certificates and enable tls/ssl on your services.
After it is done you can use ldaps:// uri with tls parameters to point to the provider/consumer servers.
This is discussed in multiple places, in addition to official openldap admin guide just google your favorite linux distribution with openldap tls.
Real, Elizabeth (392K) wrote:
I’m running multi-master OpenLDAP (version 2.4.40) servers and need to secure replication. Can you point me to where I can find that information? What I found online is old and does not apply to the version I’m running.
The term "secure replication" is a bit blurry.
In general I setup replication like this: - TLS everywhere => every replica has server cert - use the *individual* server certs as client certs for authenticating replicas - use SASL/EXTERNAL with authz-regexp mapping to map to distinct replica entry - use an LDAP group entry for replication ACLs - tighten TLS protocol to 1.2 - set cipher settings to use perfect-forward secrecy (PFS)
YMMV
Ciao, Michael.
openldap-technical@openldap.org
-
Alex M -
Michael Ströder -
Real, Elizabeth (392K)