Thanks for the prompt response. On Fri, Jan 23, 2009 at 11:52:42AM -0800, Quanah Gibson-Mount wrote: > --On Friday, January 23, 2009 10:49 AM -0700 Rob Sims >> The problem goes away if I set server side parameters >> TLSCACertificateFile, TLSCertificateFile, and TLSCertificateKeyFile to >> valid values (I didn't try any smaller sets).
> tls_cacert is, as is stated in the docs, an override, not an
> initialization. I.e., for it to work, there must be a default server
> configuration first. There is no bug here.
I think it's reasonable to not have to generate a certificate/key pair
(and possibly a CA certificate if you're cloning a database you don't
own) that are unused because the server side doesn't offer TLS.
The application in this case is an intermittently connected device,
where full-time access to data is desired. The device itself serves no
networked clients.
I'm perfectly happy calling this a feature request, and assigning low
priority, as there is a rational workaround, but please leave this
report in a visible state until the syncrepl client can use TLS
independent of server TLS usage, or an appropriate error message is
generated.
>> From slapd.conf(5):
> The tls_reqcert setting defaults to "demand" and the other TLS
> settings default to the same as the main slapd TLS settings.
> This definitely could be clearer as to what it means, I'll follow up
> upstream.
The docs in general need more detail on TLS setup especially due to
the usage of GnuTLS; most online information covers openssl. In
particular, I'd suggest:
- noting a good set of ownership and permissions for key and cert
files; that the files are read after process ownership changes, and
not before.
- tls_cacertdir should note "is not supported when using GNUtls." like
the TLSCACertificatePath does
- if the only immediate fix is to be documentation:
"TLS usage by any module such as syncrepl requires that the local
server also be configured to serve TLS."
On the client pages:
- "<client> will use a configuration file as described in ldap.conf(5)";
normally I'd suggest including the actual loading rules, but they're
a bit extensive to repeat everywhere. The "See Also" reference is
insufficient as the conf file is an integral part of operation of
the tool.
- Note that the ldap.conf file has a richer set of options than the
command line
- That you must have a conf file to use the clients with TLS, as
there isn't a command line option for either the TLS_CACERT or
TLS_REQCERT options.
- That the default is to fail ldaps: queries if the server certificate
is valid but unverifiable; this is notable because the default
behavior of many other apps is to query the user in this case.
--
Rob
signature.asc
Description: Digital signature
