Due to a decision of our IT Departement, I have to change the domain
name of ours openldap servers and by extention all of their
certificates. We have two ldap providers in mirror mode and fourteen
ldap consumers. Those servers have ACL based (in part) on IP address to
force TLS/SSL for some usages and they're accessed by a lots of ldap
I'm looking for a way to make a transition without duplicating all ldap
servers during the time we change the fqdn and CA certificate on each
client. This transition is quite easy with Apache and virtual host.
AFAIK, openldap doesn't provide a Virtual Host system so I have to find
an other way.
I have tried a solution with stunnel which listens on an other IP
address with a new certificate. But, as the connection from the stunnel
to the ldap server comes from localhost and not from the original
client, this is not working correctly with the ldaps's ACLs.
Is someone have do this before or someone has an idea to do it ?