What I did: * setup servers behind VIP * obtain cert with primary name of vip DNS w/ secondary names of the servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Aug 26 12:49:04 2011 Subject: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" and
syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.