stepan.kipel@ab-group.biz wrote:

Full_Name: Stepan Kipel Version: 2.4.19 OS: Red Hat Enterprise Linux AS release 4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (79.140.224.210)

In our network there are 2 servers running slapd, one is syncrepl-provider and other is consumer. Both have identical IP address for LDAP requests and configured in manner that when one goes down, second takes over (configured externally, by routing). Also, TLS is configured and works transparently for client machines (DNS resolves their "common" IP), but it`s hard to use their Domain Name for TLS syncrepl - DNS resolves IP, that is up on local machine. We decided to put up other interface on syncrepl-provider for replication purposes, mapped another Domain Name on this interface and appended CA, server and private server certs created for this Domain Names to files included by TLSCACertificateFile, TLSCertificateFile and TLSCertificateKey in slapd.conf file, respectively. We`ve tried to execute ldapsearch with two different ldap.conf configs - for first and second domain name of the server, one works and another - not? error looks like "TLS: hostname (first_srv_name) does not match common name in certificate (second_srv_name)."

The question is - can slapd server use more than 2 server certificates or we should use another technology (tunneling, etc...) for encrypted syncrepl?

A server cert file and key file may only contain one item; that's a constraint from the underlying TLS library. You should not have needed to create a new CA for this situation. You should look at using a single server cert with a subjectAltName matching the the alternate interface name.

The ITS is for bug reports, not for hetting help on using the software. This ITS will be closed. Use the -software mailing list.