> ----- Original Message ----- > From: "Howard Chu" <[EMAIL PROTECTED]> > To: "k bah" <[EMAIL PROTECTED]> > Subject: Re: LDAP Replication +TLS +Self-signed certificate. > Date: Fri, 15 Aug 2008 03:34:19 -0700 > > > k bah wrote: > > Hi, > > > > I have LDAP replication setup (slurpd), works fine. Until a while ago I had > > a > CA certificate, and with that one I signed other two certificates, for two > different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master > and the last the ldap slave. Configuration on both master and slave slapd.conf > had: > > > TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt > > TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key > > TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt > > That sounds like a correct configuration. > > > Now I changed the certificates, both the Master and Slave machines use self > > signed certificates, I changed the certificates/tls config on several > > services that used it, they work fine, but LDAP replication stopped > > working. > > That is a bad configuration. The old saying applies - "if it ain't > broke, don't fix it." Your original config was fine...
I tried this (and I guess it makes sense): LDAP Master slapd.conf: TLSCertificateFile /etc/openldap/ldap-master-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-master-key.key TLSCACertificateFile /etc/openldap/ldap-master-cert.crt LDAP Slave slapd.conf: TLSCertificateFile /etc/openldap/ldap-slave-cert.crt (self-signed certificate) TLSCertificateKeyFile /etc/openldap/ldap-slave-key.key TLSCACertificateFile /etc/openldap/ldap-slave-cert.crt LDAP Master ldap.conf: TLS_CACERT /etc/openldap/ldap-slave-cert.crt (Since when replicating, the master server acts as a client to the ldap slave server, right?) Quoting the slurpd man page: "Note that slurpd reads replication directive from slapd.conf(5), but uses ldap.conf(5) to obtain other configuration settings (such as TLS settings)." LDAP Slave ldap.conf: TLS_CACERT /etc/openldap/ldap-master-cert.crt (I can't figure out now why, does the LDAP slave server act as a client to the ldap master server? When?) > > If you're replacing certs because they expired or some other > reason, just duplicate the structure you had originally. Create one > self-signed CA cert, then create your server certs and use your CA > cert to sign all the other certs. Then distribute your CA cert to > all the client machines as usual. = Don't Just See Alaska, Experience It Active, Informative, Fun! Alaska Adventure Tours. Live Large. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=3fac59fd070fca088e31eea0c56f58a0 -- Powered by Outblaze
