Re: failover config: servers with same DNS address and TLS, subjectAltName extension
--On July 23, 2007 1:51:19 PM +0000 Emmanuel Dreyfus <manu(a)netbsd.org>
wrote:
For future reference, here is what I had to do to get multiple LDAP
servers answering on the same DNS address and using TLS.
The clients have this in ldap.conf:
BASE dc=example,dc=net
TLS_CACERT /etc/openssl/certs/ca.crt
URI ldaps://ldap.example.net:636
TLS_REQCERT demand
# Cannot get this working!
# TLS_CRLCHECK peer
Just note that using SSL over port 636 is not a defined protocol, and may
go away in the future. Avoidance of its use when possible recommended.
4) Having this working with syncrepl
4.1) On the syncrepl consumer (srv1 and srv2), in slapd.conf:
syncrepl rid=24
type=refreshAndPersist
searchbase="dc=example,dc=net"
starttls=critical
bindmethod=sasl
saslmech=EXTERNAL
retry=3,1,10,2,60,+
Make sure rid is different on srv1 and srv2.
RID only needs to be unique inside a single configuration (i.e., for a
single slapd instance). Both your replicas could use the same RID.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration