8:57 a.m.
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different servers
But I want to enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and the
client will use one unique certificate to connect to server "ldap1" or
"ldap2" if the first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard
certificat.
Thanks
Julien Courtès
9:30 a.m.
One way of doing this would be to create a CA cert and sign the two
certificates for the two LDAP servers with this CA cert and install the CA
cert on the clients.
Siddharth Choure
Senior Systems Engineer
On 3/12/14, 10:57 AM, "Julien Courtès" <julien.courtes(a)yooda.com> wrote:
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different
servers
But I want to enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and the
client will use one unique certificate to connect to server "ldap1" or
"ldap2" if the first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard
certificat.
Thanks
Julien Courtès
9:32 a.m.
Hi, Julien;
I had almost the same question a few months back. It was recommended to me
to use wildcard certificates. Though my configuration is a Multi-Master and
not a true master/slave.
John
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Julien Courtès
Sent: Wednesday, March 12, 2014 11:58 AM
To: openldap-technical(a)openldap.org
Subject: TLS with multiple LDAP servers
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different servers
But I want to enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and the
client will use one unique certificate to connect to server "ldap1" or
"ldap2" if the first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard
certificat.
Thanks
Julien Courtès
9:39 a.m.
Am Wed, 12 Mar 2014 16:57:57 +0100
schrieb Julien Courtès <julien.courtes(a)yooda.com>:
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different
servers But I want to enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and
the client will use one unique certificate to connect to server
"ldap1" or "ldap2" if the first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard
certificat.
As you know the answer to your question already, just test to find out
which one fits best to your requirements.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
9:53 a.m.
The methods you use to successfully complete a TLS handshake are completely dependent upon
the methods you choose to implement "fail-over" to your second LDAP server.
Will you be using a common name and virtual IP? Will you be using a common virtual name
(DNS round robin or intelligent name server)? Will your client handle fail-over internally
and connect directly to each server?
Once we have the details around your fail-over solution we can provide more advice on
methods for handling the host name validation portion of your TLS handshake.
-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder(a)aep.com
Phone: 614-716-4970
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Julien Courtès
Sent: Wednesday, March 12, 2014 11:58 AM
To: openldap-technical(a)openldap.org
Subject: TLS with multiple LDAP servers
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.
**********************************************************************
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different servers But I want to
enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and the client will use
one unique certificate to connect to server "ldap1" or "ldap2" if the
first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard certificat.
Thanks
Julien Courtès
2:05 a.m.
Hey,
thanks everyone. I think I will try to use a wildcard certificate
I will use a common name for my LDAP server and I won't use DNS round
robin or intelligent name server.
And I think my client will handle fail-over internally and connect
directly to each server.
Julien Courtès
Le 12/03/2014 17:53, Jon C Kidder a écrit :
The methods you use to successfully complete a TLS handshake are
completely dependent upon the methods you choose to implement "fail-over" to
your second LDAP server. Will you be using a common name and virtual IP? Will you be
using a common virtual name (DNS round robin or intelligent name server)? Will your client
handle fail-over internally and connect directly to each server?
Once we have the details around your fail-over solution we can provide more advice on
methods for handling the host name validation portion of your TLS handshake.
-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder(a)aep.com
Phone: 614-716-4970
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Julien Courtès
Sent: Wednesday, March 12, 2014 11:58 AM
To: openldap-technical(a)openldap.org
Subject: TLS with multiple LDAP servers
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments.
**********************************************************************
Hi,
I have two LDAP servers in master-slave
ldap1.domain.com - master
ldap2.domain.com - slave
These servers got different ip addresses and are hosted on different servers But I want
to enable TLS connection with clients.
So can I create a unique certificate that I put on both servers and the client will use
one unique certificate to connect to server "ldap1" or "ldap2" if the
first one is down.
If not, how should I do?
I did a search and I found that I can use subjectAltNames or wildcard certificat.
Thanks
Julien Courtès
3487
days inactive
3488
days old
openldap-technical@openldap.org
5 comments
5 participants
participants (5)
-
Borresen, John - 0442 - MITLL -
Choure, Sidd -
Dieter Klünter -
Jon C Kidder -
Julien Courtès