Full_Name: Stepan Kipel
OS: Red Hat Enterprise Linux AS release 4
Submission from: (NULL) (220.127.116.11)
In our network there are 2 servers running slapd, one is syncrepl-provider and
other is consumer. Both have identical IP address for LDAP requests and
configured in manner that when one goes down, second takes over (configured
externally, by routing). Also, TLS is configured and works transparently for
client machines (DNS resolves their "common" IP), but it`s hard to use their
Domain Name for TLS syncrepl - DNS resolves IP, that is up on local machine. We
decided to put up other interface on syncrepl-provider for replication purposes,
mapped another Domain Name on this interface and appended CA, server and private
server certs created for this Domain Names to files included by
TLSCACertificateFile, TLSCertificateFile and TLSCertificateKey in slapd.conf
file, respectively. We`ve tried to execute ldapsearch with two different
ldap.conf configs - for first and second domain name of the server, one works
and another - not? error looks like "TLS: hostname (first_srv_name) does not
match common name in certificate (second_srv_name)."
The question is - can slapd server use more than 2 server certificates or we
should use another technology (tunneling, etc...) for encrypted syncrepl?
A server cert file and key file may only contain one item; that's a constraint
from the underlying TLS library. You should not have needed to create a new CA
for this situation. You should look at using a single server cert with a
subjectAltName matching the the alternate interface name.
The ITS is for bug reports, not for hetting help on using the software. This
ITS will be closed. Use the -software mailing list.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/