30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:50 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:52 am 
Emmanuel DreyfusJul 25, 2007 9:06 am 
Quanah Gibson-MountJul 25, 2007 9:47 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:46 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:38 pm 
Howard ChuJul 25, 2007 2:44 pm 
Russ AllberyJul 25, 2007 2:45 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:30 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:17 pm 
Ralf HaferkampJul 26, 2007 1:27 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:38 am 
Ralf HaferkampJul 26, 2007 11:46 am 
Howard ChuJul 27, 2007 2:13 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: failover config: servers with same DNS address and TLS, subjectAltName extensionActions...
From:Emmanuel Dreyfus (ma@netbsd.org)
Date:Jul 24, 2007 1:02:13 am
List:org.openldap.openldap-software

On Mon, Jul 23, 2007 at 09:58:37PM -0700, Howard Chu wrote:

# Cannot get this working! #TLS_CRLCHECK peer

This only works with recent OpenSSL 0.9.8 releases. You didn't mention which version of OpenSSL you're using. And since this entire subject is purely an OpenSSL matter and not an LDAP matter, that's a pretty key piece of information.

I used 0.9.7d. That information (a minimal version of OpenSSL is required for it to work) is quite important. Where was I supposed to find it? I've lost a few hours trying to get CRLworking, I'd have been better reading the right document.

In order to have this working, we need x509 certificate that have the subjectAltName extension. This is not an OpenLDAP-specific problem, but the information about how to do it seems difficult to find, hence, here is the result of my experiments.

The information is all at your fingertips. You just haven't absorbed it yet.

I beleive the information (which exists, I agree) is not very well oriented for the newcomer that tries to set up a new configuration.

Also note "subject alternative name" means exactly that - it lists *alternative* names for the identity. You don't have to list the real name here, since that's already going into the subject CN. It does no harm, but it does no good either. (And it makes your cert bigger than it needs to be...)

Thanks for that hint.

Install ca.crt and srv1.crt (srv2.crt) on srv1 (srv2), and configure slapd, with this in slapd.conf: TLSCertificateFile /etc/openssl/certs/srv1.crt TLSCertificateKeyFile /etc/openssl/private/srv1.key TLSCACertificateFile /etc/openssl/certs/ca.crt TLSVerifyClient allow sasl-secprops none

Setting "sasl-secprops none" is never a good idea. Why did you put this here?

I have users using plaintext login/password through TLS. Those are validated through SASL. As I understood, using plaintext password requires "sasl-secprops none", is that wrong?

No, that's not what it does. It turns off all security requirements in the SASL layer, allowing all insecure mechanisms to be used. A rather big mistake, after you've gone to the trouble of enabling secure authentication with certificates.

In my setup, the syncrepl consumer uses certificate and gets sensitive information such as userPassword. Users can use plaintext password over TLS and cannot get password hashes. Is it that odd?

-- Emmanuel Dreyfus ma@netbsd.org