10:14 a.m.
Dear List,
i'm using N-Way multimaster replication with 2 servers (i will use it on 30
servers soon). Each server is using it's own certificate, so the content of
TLSCertificateFile and TLSCertificateKeyFile is different in the cn=config
of each of them.
My problem is that cn=config is replicated on all servers, including
TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
obviously not working (the certificate and key path of the first server are
replicated on the second server).
I know there is some solutions to workaround this "issue", like:
- Don't replicate cn=config
- Use the same certificate and key for all servers
- Use the same certificate and key path in cn=config (ex:
/etc/openldap/cert/common_cert_name.pem and
/etc/openldap/cert/common_cert_name.key) and then make symlinks to the
correct files on the local server
but I would avoid this type of solutions if possible, so i would like to
know if there is a solution to avoid to replicate TLSCertificateFile and
TLSCertificateKeyFile, or other trick?
Thank you in advance for any response,
Best regards,
11:30 a.m.
--On Tuesday, December 09, 2014 7:14 PM +0100 coma <coma.inf(a)gmail.com>
wrote:
Dear List,
i'm using N-Way multimaster replication with 2 servers (i will use it on
30 servers soon). Each server is using it's own certificate, so the
content of TLSCertificateFile and TLSCertificateKeyFile is different in
the cn=config of each of them.
My problem is that cn=config is replicated on all servers, including
TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
obviously not working (the certificate and key path of the first server
are replicated on the second server).
I know there is some solutions to workaround this "issue", like:
- Don't replicate cn=config
- Use the same certificate and key for all servers
- Use the same certificate and key path in cn=config (ex:
/etc/openldap/cert/common_cert_name.pem and
/etc/openldap/cert/common_cert_name.key) and then make symlinks to the
correct files on the local server
but I would avoid this type of solutions if possible, so i would like to
know if there is a solution to avoid to replicate TLSCertificateFile and
TLSCertificateKeyFile, or other trick?
Every server must be able to validate the cert of the other MMR nodes. For
that, it would be easiest to use the CA path attribute (vs file attribute).
For the cert setup for the servers themselves, generally yes, you can work
around that by having the same path to the cert on each node.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11:55 a.m.
coma wrote:
My problem is that cn=config is replicated on all servers, including
TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
obviously not working (the certificate and key path of the first server are
replicated on the second server).
I know there is some solutions to workaround this "issue", like:
- Don't replicate cn=config
- Use the same certificate and key for all servers
- Use the same certificate and key path in cn=config (ex:
/etc/openldap/cert/common_cert_name.pem and
/etc/openldap/cert/common_cert_name.key) and then make symlinks to the
correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.
Ciao, Michael.
1:12 p.m.
Hello,
ok thank you. Just wanted to know if there was an alternative, now I know
there are none! I will do as Quanah and you said.
Thanks again for for your responsiveness!
2014-12-09 20:55 GMT+01:00 Michael Ströder <michael(a)stroeder.com>:
coma wrote:
> My problem is that cn=config is replicated on all servers, including
> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
> obviously not working (the certificate and key path of the first server
are
> replicated on the second server).
>
> I know there is some solutions to workaround this "issue", like:
> - Don't replicate cn=config
> - Use the same certificate and key for all servers
> - Use the same certificate and key path in cn=config (ex:
> /etc/openldap/cert/common_cert_name.pem and
> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
> correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.
Ciao, Michael.
2:18 p.m.
I use a cert with the VIP used by clients, and the hostnames used between the servers all
setup in the subjectaltname of the certificate.
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of
coma
Sent: Tuesday, December 09, 2014 1:13 PM
To: Michael Ströder
Cc: openldap-technical(a)openldap.org
Subject: Re: N-Way multimaster Replication with TLS and multiple server certificates
Hello,
ok thank you. Just wanted to know if there was an alternative, now I know there are none!
I will do as Quanah and you said.
Thanks again for for your responsiveness!
2014-12-09 20:55 GMT+01:00 Michael Ströder
<michael@stroeder.com<mailto:michael@stroeder.com>>:
coma wrote:
My problem is that cn=config is replicated on all servers,
including
TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
obviously not working (the certificate and key path of the first server are
replicated on the second server).
I know there is some solutions to workaround this "issue", like:
- Don't replicate cn=config
- Use the same certificate and key for all servers
- Use the same certificate and key path in cn=config (ex:
/etc/openldap/cert/common_cert_name.pem and
/etc/openldap/cert/common_cert_name.key) and then make symlinks to the
correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.
Ciao, Michael.
________________________________
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
12:01 a.m.
New subject: Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates
>> Chris Jacobs <Chris.Jacobs(a)apollo.edu> schrieb am
09.12.2014 um 23:18 in
Nachricht
<6C447584419BFE4E83D46E88F8131486D2CCB794E0(a)EXCH07-05.apollogrp.edu>:
I use a cert with the VIP used by clients, and the hostnames used
between
the
servers all setup in the subjectaltname of the certificate.
But this "solution" does not scale well when adding or removing servers...
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On
Behalf Of coma
Sent: Tuesday, December 09, 2014 1:13 PM
To: Michael Ströder
Cc: openldap-technical(a)openldap.org
Subject: Re: N-Way multimaster Replication with TLS and multiple server
certificates
Hello,
ok thank you. Just wanted to know if there was an alternative, now I know
there are none! I will do as Quanah and you said.
Thanks again for for your responsiveness!
2014-12-09 20:55 GMT+01:00 Michael Ströder
<michael@stroeder.com<mailto:michael@stroeder.com>>:
coma wrote:
> My problem is that cn=config is replicated on all servers, including
> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
> obviously not working (the certificate and key path of the first server
are
> replicated on the second server).
>
> I know there is some solutions to workaround this "issue", like:
> - Don't replicate cn=config
> - Use the same certificate and key for all servers
> - Use the same certificate and key path in cn=config (ex:
> /etc/openldap/cert/common_cert_name.pem and
> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
> correct files on the local server
..or directly place the correct files to the same certificate and key path.
Yes, that's what
ansible/puppet/chef/name-your-favourite-config-management-tool
is for.
Ciao, Michael.
________________________________
This message is private and confidential. If you have received it in error,
please notify the sender and remove it from your system.
12:44 a.m.
New subject: Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates
Ulrich Windl wrote:
> I use a cert with the VIP used by clients, and the hostnames used
between
> the servers all setup in the subjectaltname of the certificate.
But this "solution" does not scale well when adding or removing servers...
Why does it not scale?
If you have an individual cert for each server with the VIP DNS name in
subjectAltName you can just add servers as needed.
Ciao, Michael.
2800
days inactive
2801
days old
openldap-technical@openldap.org
6 comments
5 participants
participants (5)
-
Chris Jacobs -
coma -
Michael Ströder -
Quanah Gibson-Mount -
Ulrich Windl