--On July 23, 2007 1:51:19 PM +0000 Emmanuel Dreyfus manu@netbsd.org wrote:
For future reference, here is what I had to do to get multiple LDAP servers answering on the same DNS address and using TLS.
The clients have this in ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt URI ldaps://ldap.example.net:636 TLS_REQCERT demand # Cannot get this working! # TLS_CRLCHECK peer
Just note that using SSL over port 636 is not a defined protocol, and may go away in the future. Avoidance of its use when possible recommended.
- Having this working with syncrepl
4.1) On the syncrepl consumer (srv1 and srv2), in slapd.conf: syncrepl rid=24 type=refreshAndPersist searchbase="dc=example,dc=net" starttls=critical bindmethod=sasl saslmech=EXTERNAL retry=3,1,10,2,60,+
Make sure rid is different on srv1 and srv2.
RID only needs to be unique inside a single configuration (i.e., for a single slapd instance). Both your replicas could use the same RID.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration