Project

General

Profile

Task #2706

Story #1791: Create secure configuration for LDAP replication across various deployment Environments

Set up TLS for CN LDAP servers

Added by Matthew Jones over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ben Leinfelder
Category:
-
Target version:
Sprint-2012.19-Block.3.2
Start date:
Due date:
% Done:

100%

Milestone:
CCI-1.0.0
Product Version:
*
Story Points:
Sprint:

History

#1 Updated by Ben Leinfelder over 12 years ago

Useful info regarding configuration.
http://www.zytrax.com/books/ldap/ch15/#tls

#2 Updated by Ben Leinfelder over 12 years ago

  • Assignee changed from Matthew Jones to Ben Leinfelder

Added a TLS section to the slapd.conf with reasonable defaults for our deployments:

# Security - TLS section
TLSCertificateFile /etc/ssl/certs/_.dataone.org.crt
TLSCertificateKeyFile /etc/ssl/private/dataone_org.key
TLSCipherSuite TLSv1+RSA:!NULL
# the following directive is the default but
# is explicitly included for visibility reasons
TLSVerifyClient never

The postinst/config process prompts for the private key location and we use this new value if it is provided.

#3 Updated by Ben Leinfelder over 12 years ago

  • Status changed from New to In Progress

would like to test this before "closing it"

#4 Updated by Ben Leinfelder over 12 years ago

Configured on cn-dev and worked through a few stumbles. The buildout should now prompt for everything it needs. We do need to make sure our private key files are readable by the ssl-cert group. Since private key deployment is manual, this can be a gotchya.

Will deploy on cn-dev-2 and cn-dev-3 to test actual synchronization.

#5 Updated by Ben Leinfelder over 12 years ago

Looks good across the cn-dev-* environment. But how do we tell that TLS is actually being used?!

#6 Updated by Dave Vieglais over 12 years ago

try:

sudo tcpdump -A -l -i eth0 port 389

then do something to initiate traffic

#7 Updated by Ben Leinfelder over 12 years ago

I updated my givenName in LDAP and saw this (replication?) call between cn-dev and cn-dev-3.

09:12:25.958862 IP (tos 0x0, ttl 64, id 50474, offset 0, flags [DF], proto TCP (6), length 969)
cn-dev.dataone.org.ldap > cn-dev-3.dataone.utk.edu.38957: Flags [P.], seq 2797535443:2797536360, ack 1768833982, win 71, options [nop,nop,TS val 49034346 ecr 734503393], length 917
....-....inC....GV/.....
..4j+........4Hto.F......%.'T...

Still not conclusive to me. What do you think?

#8 Updated by Ben Leinfelder over 12 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)