On Apr 21, 2010, at 11:54 PM, Siddhartha Jain wrote:
> Hi,
>
> I have setup replication between two primary servers to use TLS.
>
> The config says:
> {0}rid=101 provider=ldap://pldap01.xyz.net binddn="cn=Manager,dc=xyz,dc=net"
> bindmethod=simple credentials=secret searchbase="dc=xyz,dc=net"
> type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
> starttls=yes tls_cert=/etc/openldap/cacerts/newcert.pem
> tls_cacert=/etc/openldap/cacerts/cacert.pem
> tls_key=/etc/openldap/cacerts/newreq.pem
> {1}rid=102 provider=ldap://pldap02.xyz.net binddn="cn=Manager,dc=xyz,dc=net"
> bindmethod=simple credentials=secret searchbase="dc=xyz,dc=net"
> type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
> starttls=yes tls_cert=/etc/openldap/cacerts/newcert.pem
> tls_cacert=/etc/openldap/cacerts/cacert.pem
> tls_key=/etc/openldap/cacerts/newreq.pem
>
>
> Replication works alright but logs show these lines on pldap01:
> Apr 22 03:47:20 pldap01 slapd[3451]: conn=1089 fd=22 TLS established
> tls_ssf=256 ssf=256
> Apr 22 03:47:20 pldap01 slapd[3451]: slap_client_connect:
> URI=ldap://pldap02.xyz.net Warning, ldap_start_tls failed (-11)
>
> And, this on pldap02:
> Apr 22 03:47:40 pldap02 slapd[2564]: conn=1096 fd=26 TLS established
> tls_ssf=256 ssf=256
> Apr 22 03:47:51 pldap02 slapd[2564]: slap_client_connect:
> URI=ldap://pldap01.xyz.net Warning, ldap_start_tls failed (-11)
>
>
> To be fair, the certificates are self-signed and don't match the DN but I am
> assuming that "starttls=yes" forces TLS and the consumers cannot default to
> plaintext. Right? If yes, does this mean that in syncrepl, tls use is
> hardcoded to verify certificates and fall back to non-verified TLS session if
> verification fails? Or, is this configurable meaning can I enforce
> verification (preferable in production)?
>
>
>
> Thanks,
>
> - Siddhartha
To get clients to use unverified certs, you can add a line to your
/etc/ldap/ldap.conf
TLS_REQCERT allow
This tells the client to ignore certificate errors and use TLS without
question. Was this what you were looking for? I don't know much else about
your other questions, sorry.
-a
