Still not sure how you did it. Are you saying you set the same
certificate in slapd and played with DNS to make it look like only
one server(URL) to everyone?
Thanks,
Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/ secondary names
of the servers.
That way, the servers can sync/tryst each other via the same
cert used by clients.
Note: some clients (lookin at you Firefox) won't use the
primary name if subjectaltname exists - so include primary
name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing and Product Developmentï |ïÂ
Aptimus, Inc.
2001 6th Aveï |ï Suite 3200ï |ï Seattle, WA 98121
direct 206.839.8245ï |ï cell 206.601.3256ï |ï fax
206.839.8106
email chris.jacobs@apollogrp.edu
From the openldap website the two nodes have to use different URLs
like below:
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
and
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
I can set two different certificates so that TLS is fine for sync
between the two nodes. However we will have regular Ldap client
access these two nodes behind a loadbalancer over TLS too.
Obviously the client can't connect with ldap-sid2.example.com, nor
with ldap-sid1.example.com. So what is the solution to this
scenario? Setup a pool of consumers with same hostname?
Thanks,
Daniel
This message is private
and confidential. If you have received it in error, please
notify the sender and remove it from your system.
|