Hi all! I'm trying to figure out how to handle high availability in combination with ssl. I have ssl working for both clients and server to server connections. The problem is that i would like to give a client only one ip/fqdn for the ldap server, like ldap.example.com and manage failover to a second ldap multimaster machine by bringing up that ip or switching the dns entry of the fqdn to the at that moment designated as active ldap server. The problem lies in the fact that the certificate on the client has a dn that has to match the hostname to be contacted (ie. ldap.example.com) but i don't want to have identical certificates on the ldap servers (if the dn does not match the hostname to be contacted, connection will fail, verified with openssl). So how can you have a client contact ldap.example.com with ssl enabled while having the ability to switch ldap.example.com between two machines without douing something evilish like having identical certificates for both ldap servers? How are others handling these things? The reason i want to do failover this way has to do with wanting to avoid the posibility of possible conflicts when having the ability to write to 2 masters at the same time. Thanks for any pointers and/or eyeopeners! Grtz, Rubin.
