I use a cert with the VIP used by clients, and the hostnames used between the servers all setup in the subjectaltname of the certificate.
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of coma Sent: Tuesday, December 09, 2014 1:13 PM To: Michael Ströder Cc: openldap-technical@openldap.org Subject: Re: N-Way multimaster Replication with TLS and multiple server certificates
Hello, ok thank you. Just wanted to know if there was an alternative, now I know there are none! I will do as Quanah and you said. Thanks again for for your responsiveness!
2014-12-09 20:55 GMT+01:00 Michael Ströder <michael@stroeder.commailto:michael@stroeder.com>: coma wrote:
My problem is that cn=config is replicated on all servers, including TLSCertificateFile and TLSCertificateKeyFile... therefore the replication obviously not working (the certificate and key path of the first server are replicated on the second server).
I know there is some solutions to workaround this "issue", like:
- Don't replicate cn=config
- Use the same certificate and key for all servers
- Use the same certificate and key path in cn=config (ex:
/etc/openldap/cert/common_cert_name.pem and /etc/openldap/cert/common_cert_name.key) and then make symlinks to the correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what ansible/puppet/chef/name-your-favourite-config-management-tool is for.
Ciao, Michael.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.