What I did:
* setup servers behind VIP * obtain cert with primary name of vip DNS w/ secondary names of the servers. That way, the servers can sync/tryst each other via the same cert used by clients. Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC. - chris Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email chris.jacobs@apollogrp.edu From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org> To: openldap-technical@openldap.org <openldap-technical@openldap.org> Sent: Fri Aug 26 12:49:04 2011 Subject: Syncrepl over TLS for mirrormode syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" andI can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" Thanks, Daniel This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system. |