[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension



--On July 23, 2007 1:51:19 PM +0000 Emmanuel Dreyfus <manu@netbsd.org> wrote:

For future reference, here is what I had to do to get multiple LDAP
servers answering on the same DNS address and using TLS.


The clients have this in ldap.conf:
BASE    dc=example,dc=net
TLS_CACERT      /etc/openssl/certs/ca.crt
URI     ldaps://ldap.example.net:636
TLS_REQCERT     demand
# Cannot get this working!
# TLS_CRLCHECK   peer


Just note that using SSL over port 636 is not a defined protocol, and may go away in the future. Avoidance of its use when possible recommended.

4) Having this working with syncrepl 

4.1) On the syncrepl consumer (srv1 and srv2), in slapd.conf:
  syncrepl rid=24
    type=refreshAndPersist
    searchbase="dc=example,dc=net"
    starttls=critical
    bindmethod=sasl
    saslmech=EXTERNAL
    retry=3,1,10,2,60,+

Make sure rid is different on srv1 and srv2.

RID only needs to be unique inside a single configuration (i.e., for a single slapd instance). Both your replicas could use the same RID.

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration