Hello,
Due to a decision of our IT Departement, I have to change the domain name of ours openldap servers and by extention all of their certificates. We have two ldap providers in mirror mode and fourteen ldap consumers. Those servers have ACL based (in part) on IP address to force TLS/SSL for some usages and they're accessed by a lots of ldap clients.
I'm looking for a way to make a transition without duplicating all ldap servers during the time we change the fqdn and CA certificate on each client. This transition is quite easy with Apache and virtual host. AFAIK, openldap doesn't provide a Virtual Host system so I have to find an other way.
I have tried a solution with stunnel which listens on an other IP address with a new certificate. But, as the connection from the stunnel to the ldap server comes from localhost and not from the original client, this is not working correctly with the ldaps's ACLs.
Is someone have do this before or someone has an idea to do it ?
Regards, Julien COMBES
On 27.10.2016. 17:15, COMBES Julien - SG/SPSSI/CPII/DOSE/ET/PNE ANNUAIRE ET MESSAGERIE wrote:
Due to a decision of our IT Departement, I have to change the domain name of ours openldap servers and by extention all of their certificates.
[...]
I have tried a solution with stunnel which listens on an other IP address with a new certificate. But, as the connection from the stunnel to the ldap server comes from localhost and not from the original client
You could try the transparent source mode of stunnel if your kernel supports it.
Regards,
openldap-technical@openldap.org