> [root at cnyldap01 alias]# ../shared/bin/certutil -L -d . > CA certificate CTu,u,u > NJ-Server-Cert u,u,u > NJ-admin-server-cert u,u,u > NY-Server-Cert u,u,u > NY-admin-server-cert u,u,u > yes, more or less like me..I didn't configure admin > Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside > clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL > verification will fail. You're trying to talk to ldap.com but your certs are signed with node1/2 > -- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS > servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around > and encrypt the traffic again, passing it to either node1 or node2. A cute little problem is what > to do when the ssl proxy fails? :) Unfortunately too much complicated for me at this moment :-( > The thing is like this. What is the problem you are trying to solve? Why have two FDS servers in > 1 location? Why have the virtual IP? It really doesn't buy you a whole lot. > Ok Susan..the problem is configuring Fedora DS in cluster scenario; I have two options: 1) Configuring Fedora DS in GFS file system so I can move DS from nodo1 to nodo2 if it for some reason fails 2) Taking advantage to multi master replication to make the same thing...but in this case I have to configure floating IP and an entry in dns that point to ip because I don't want that client points directly to nodes ...Second option is better because in this way I can make a load balancing...but even if I use real name and real ip address of nodo1 and nodo2 the problem is SSL....of course, I can use wildcards as Rob says...but in that case is a whole security > Have 2 FDSs insist but then list all of them in the clients' ldap.conf -- no problem. Please can U explain this?...how can I configure clients' ldap.conf to listen both server in SSL mode? thanks...like always Alex
