The methods you use to successfully complete a TLS handshake are completely dependent upon the methods you choose to implement "fail-over" to your second LDAP server. Will you be using a common name and virtual IP? Will you be using a common virtual name (DNS round robin or intelligent name server)? Will your client handle fail-over internally and connect directly to each server?
Once we have the details around your fail-over solution we can provide more advice on methods for handling the host name validation portion of your TLS handshake.
-Jon C. Kidder American Electric Power Middleware Services Email: jckidder@aep.com Phone: 614-716-4970
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Julien Courtès Sent: Wednesday, March 12, 2014 11:58 AM To: openldap-technical@openldap.org Subject: TLS with multiple LDAP servers
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.
********************************************************************** Hi, I have two LDAP servers in master-slave ldap1.domain.com - master ldap2.domain.com - slave These servers got different ip addresses and are hosted on different servers But I want to enable TLS connection with clients. So can I create a unique certificate that I put on both servers and the client will use one unique certificate to connect to server "ldap1" or "ldap2" if the first one is down.
If not, how should I do? I did a search and I found that I can use subjectAltNames or wildcard certificat.
Thanks
Julien Courtès