[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Q: OpenLDAP In A 'Heartbeat' Cluster
- To: openldap-software@OpenLDAP.org
- Subject: Re: Q: OpenLDAP In A 'Heartbeat' Cluster
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 07 Mar 2003 10:15:12 +0100
- Cc: Tim Robbins <Tim.Robbins@ChoicePointPRG.net>
- In-reply-to: <330B6B7A1FFE1B4697293830478CB7E8012EFA07@dbtmailb.dbt.net>
- Organization: Bah!
- References: <330B6B7A1FFE1B4697293830478CB7E8012EFA07@dbtmailb.dbt.net>
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
[let's keep it on the OpenLDAP list]
Quoting Tim Robbins <Tim.Robbins@ChoicePointPRG.net>:
> Sounds like my immediate solution would then be
> to build each machine with the same `hostname`
> and use the same cert.
>
> Only caveat would be that if I wanted to look at
> a particular servers database, I would either have
> to do this unencrypted or physically log onto the
> machine and query directly.
>
> We are looking at the cluster for pure HA and not
> necessarilly to offload any workload.
Why do it that way? I'm using BOTH my LDAP servers (and I'm building
more) in a round-robin setup. This give me the possibility to use
both (or more) machines full potential.
In the DNS:
----- s n i p -----
ldap1 IN A 192.168.1.4
ldap2 IN A 192.168.1.5
ldap3 IN A 192.168.1.6
; Round-robin
ldap IN A 192.168.1.4
IN A 192.168.1.5
IN A 192.168.1.6
----- s n i p -----
This way, every time you're accessing 'ldap.domain.ltd', it will
query a random ldap? server. Oki, you still have the problem with
the cert name...
I have setup the server cert to contain the ldap? entries, so I
can't really query 'ldap.domain.ltd' through SSL. I haven't figured
out how to create an alias in the cert, but at least I can use
(or take down!) any server I like, without interrupting queries...
> -----Original Message-----
> From: Turbo Fredriksson [mailto:turbo@bayour.com]
> Sent: Thursday, March 06, 2003 12:39 PM
> To: openldap-software@OpenLDAP.org
> Subject: Re: Q: OpenLDAP In A 'Heartbeat' Cluster
>
>
> >>>>> "Tim" == Tim Robbins <Tim.Robbins@ChoicePointPRG.net> writes:
>
> Tim> I am currently running OpenLDAP and replicating successfully
> Tim> from node 'A' to node 'B'. I have installed the HA-Linux
> Tim> "heartbeat" cluster SW and successfully and fail over my
> Tim> logical IP address. I am using TLS and can reach both nodes
> Tim> successfully using GQ with TLS enabled. When I try and
> Tim> connect to the logical node, it errors saying that hostname
> Tim> does not match. I have generated a seperate certifcate using
> Tim> the logical name and appended it to the cert file that is
> Tim> loaded in the slapd.conf.
>
> Tim> Is there anything else I have missed with regards to my
> Tim> configuration?
>
> No. This is 'expected' behaviour... If you have the same cert on both
> hosts, say it's for host 'ldap.domain.tld', then as long as you're
> refering to the LDAP server as 'ldap.domain.tld' is ok. But when you're
> trying to reference the hosts individually ('ldap1.domain.tld' and/or
> 'ldap2.domain.tld' for example), then naturaly the FQDN of the cert
> won't match...
>
> It should be possible to add 'alias' (or additional CN entries) in a
> cert, but I never managed to figure out how to do that...
--
terrorist Uzi jihad killed attack security pits tritium Rule Psix
Semtex Ortega genetic class struggle Legion of Doom KGB
[See http://www.aclu.org/echelonwatch/index.html for more about this]