I use a cert with the VIP used by clients, and the hostnames used between the servers all setup in the subjectaltname of the certificate.

 

From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of coma
Sent: Tuesday, December 09, 2014 1:13 PM
To: Michael Ströder
Cc: openldap-technical@openldap.org
Subject: Re: N-Way multimaster Replication with TLS and multiple server certificates

 

Hello,

ok thank you. Just wanted to know if there was an alternative, now I know there are none! I will do as Quanah and you said.

Thanks again for for your responsiveness!

 

2014-12-09 20:55 GMT+01:00 Michael Ströder <michael@stroeder.com>:

coma wrote:
> My problem is that cn=config is replicated on all servers, including
> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
> obviously not working (the certificate and key path of the first server are
> replicated on the second server).
>
> I know there is some solutions to workaround this "issue", like:
> - Don't replicate cn=config
> - Use the same certificate and key for all servers
> - Use the same certificate and key path in cn=config (ex:
> /etc/openldap/cert/common_cert_name.pem and
> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
> correct files on the local server

..or directly place the correct files to the same certificate and key path.

Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.

Ciao, Michael.

 



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.