--- George Holbert <gholbert at broadcom.com> wrote: > > Uhm...I can try, but in that case, is it possible that I've a problem > > with replication ? > > I don't think so. I've noticed that replication agreements over SSL > don't seem to care about hostname / CN matching, although they do check > that the CA is trusted. If I have the wrong impression on this, someone > please say so :). Guys, you shouldn't have to do this. This is what I have in my cert DB: [root at cnyldap01 alias]# ../shared/bin/certutil -L -d . CA certificate CTu,u,u NJ-Server-Cert u,u,u NJ-admin-server-cert u,u,u NY-Server-Cert u,u,u NY-admin-server-cert u,u,u I then sent the cert8.db & key3.db over to the other server, setup the replication agreements back & forth and voila! Basically, I shoved all my certs in 1 DB and blasted that everywhere. Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL verification will fail. You're trying to talk to ldap.com but your certs are signed with node1/2 -- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around and encrypt the traffic again, passing it to either node1 or node2. A cute little problem is what to do when the ssl proxy fails? :) The thing is like this. What is the problem you are trying to solve? Why have two FDS servers in 1 location? Why have the virtual IP? It really doesn't buy you a whole lot. Have 2 FDSs if you insist but then list all of them in the clients' ldap.conf -- no problem. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
