On Sun, Jan 20, 2008 at 07:45:06PM -0800, Howard Chu wrote:
> Alex Samad wrote:
>> Hi
>>
>> I am trying to build a network of ldap nodes sync with syncrepl using x509
>> certificates.
>>
>> I ran into a problem when I setup the first slace node, I create a
>> certificate
>> that did not have SSL Client purpose, but did have SSL Server purpose - I am
>> presuming it is this, because 2 certificates made exactly the same way, 1
>> fails
>> - the non SSL Client and the other works the one that has the SSL Client
>> purpose.
>>
>> I am presuming that I need both purposes SSL Server and SSL Client - the
>> former
>> to allow ldaps usage and the later for making ldap request and being a client
>> in a syncrepl scenario.
>>
>> Is there
>>
>> a) a way to specify another certificate to use in the syncrepl config
>
> In OpenLDAP 2.4, yes. Read the manpage.
syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
searchbase=<base
DN> [filter=<filter str>] [scope=sub|one|base] [attrs=<attr
list>] [attrsonly] [sizelimit=<limit>]
[timelimit=<limit>] [schemachecking=on|off] [starttls=yes|critical]
[bindmethod=simple|sasl] [binddn=<dn>]
[saslmech=<mech>]
[authcid=<identity>] [authzid=<identity>] [credentials=<passwd>]
[realm=<realm>] [secprops=<properties>]
[logbase=<base DN>] [logfilter=<filter str>]
[syncdata=default|accesslog|changelog]
Specify the current database as a replica which
is kept
up-to-date with the master content by establishing the current
slapd(8) as a replication consumer site running a
syncrepl
replication engine. The replica content is kept synchronized
to the master content using the LDAP Content
Synchronization
protocol. Refer to the "OpenLDAP Administrator’s Guide" for
detailed information on setting up a replicated slapd
directory
service using the syncrepl replication engine. rid
identifies the current syncrepl directive within
the
replication consumer site. It is a non-negative integer having no
more than three digits. provider specifies the
replication
provider site containing the master content as an LDAP URI. If
<port> is not given, the standard LDAP port number
(389 or
636) is used. The content of the syncrepl replica is defined
using a search specification as its result set. The
consumer
slapd will send search requests to the provider slapd
according to the search specification. The
search
specification includes searchbase, scope, filter, attrs, attrsonly,
sizelimit, and timelimit parameters as in the normal
search
specification. The scope defaults to sub, the filter defaults
to (objectclass=*), and there is no default
searchbase.
The attrs list defaults to "*,+" to return all user and
operational attributes, and attrsonly is unset by
default. The
sizelimit and timelimit only accept "unlimited" and
positive integers, and both default to
"unlimited". The LDAP
Content Synchronization protocol has two operation types.
In the refreshOnly operation, the next
synchronization search
operation is periodically rescheduled at an interval time
(specified by interval parameter; 1 day by
default)
after each synchronization operation finishes. In the
refreshAndPersist operation, a synchronization search
remains
persistent in the provider slapd. Further updates to the
master replica will generate searchResultEntry
to the
consumer slapd as the search responses to the persistent
synchronization search. If an error occurs during
replication,
the consumer will attempt to reconnect according to the
retry parameter which is a list of the <retry
interval> and <#
of retries> pairs. For example, retry="60 10 300 3" lets
the consumer retry every 60 seconds for the first 10
times and
then retry every 300 seconds for the next 3 times before
stop retrying. The ‘+’ in <# of retries> means
indefinite
number of retries until success. The schema checking can be
enforced at the LDAP Sync consumer site by turning on
the
schemachecking parameter. The default is off. The starttls
parameter specifies use of the StartTLS extended
operation to
establish a TLS session before Binding to the provider. If
the StartTLS request fails and the critical argument
was used,
the session will be aborted. Otherwise the syncrepl session
continues without TLS. A bindmethod of simple
requires the
options binddn and credentials and should only be used when
adequate security services (e.g. TLS or IPSEC) are in
place.
REMEMBER: simple bind credentials must be in cleartext! A
bindmethod of sasl requires the option
saslmech.
Depending on the mechanism, an authentication identity and/or
credentials can be specified using authcid and
credentials. The
authzid parameter may be used to specify an authorization
identity. Specific security properties (as with
the
sasl-secprops keyword above) for a SASL bind can be set with the
secprops option. A non default SASL realm can be set
with the
realm option.
Rather than replicating whole entries, the consumer
can query
logs of data modifications. This mode of operation is
referred to as delta syncrepl. In addition to
the above
parameters, the logbase and logfilter parameters must be set
appropriately for the log that will be used. The
syncdata
parameter must be set to either "accesslog" if the log conforms
to the slapo-accesslog(5) log format, or "changelog"
if the log
conforms to the obsolete changelog format. If the syncdata
parameter is omitted or set to "default" then the log
parameters
are ignored.
This is the syncrep section of my man page for openssl.conf. Sorry but I can't
find the section that tells me where to point to a different certificate file.
I use TLSCertificateFile to point to the certificate that is used for the
ldaps:// part ie acting as a server.
>
>> b) a way to not check for the SSL Client purpose in the certificate
>
> That's a function of the SSL library; I would guess not.
>
>> For now I am going to create on that has both purposes ...
>
>> Alex
>>
>
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--
"And if you're interested in the quality of education and you're paying
attention to what you hear at Laclede, why don't you volunteer? Why don't you
mentor a child how to read?"
- George W. Bush
01/05/2004
St. Louis, MO
signature.asc
Description: Digital signature
