I use a cert with the VIP used by clients, and the hostnames used between the servers all setup in the subjectaltname of the certificate.
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org]
On Behalf Of coma
Sent: Tuesday, December 09, 2014 1:13 PM
To: Michael Ströder
Cc: openldap-technical@openldap.org
Subject: Re: N-Way multimaster Replication with TLS and multiple server certificates
Hello,
ok thank you. Just wanted to know if there was an alternative, now I know there are none! I will do as Quanah and you said.
Thanks again for for your responsiveness!
2014-12-09 20:55 GMT+01:00 Michael Ströder <michael@stroeder.com>:
coma wrote:
> My problem is that cn=config is replicated on all servers, including
> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
> obviously not working (the certificate and key path of the first server are
> replicated on the second server).
>
> I know there is some solutions to workaround this "issue", like:
> - Don't replicate cn=config
> - Use the same certificate and key for all servers
> - Use the same certificate and key path in cn=config (ex:
> /etc/openldap/cert/common_cert_name.pem and
> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
> correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.
Ciao, Michael.