On Wed, 2009-06-24 at 12:56 -0500, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jean-Noel Chardron wrote: > > David Christensen a ?crit : > >> I was having a similar issue yesterday, everything worked until I > >> appended more then one CA to the file in /etc/openldap/cacerts, then it > >> kept failing until I limited it to one CA. Are you > >> using a single CA? > >> > > The client authenticates to a server with a single authority, so why try > > to install two or more. otherwise you must use a file by CA in the > > directory. > > unless you speak CA chain. > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I have two directory servers in a multmaster config using round robin > DNS so I need clients to be able to authenticate to both servers since > it will be random. It hasn't worked for me yet, but that is where I am > trying to get. <snip> That's exactly how we're set up (except we are not multi-master) and it is working fine. However, one only needs the CA cert in the cacertfile for it to work. For example, I have two DNS entries for ldap.mycompany.com which point to my two replicas. Each replica has a cert with ldap{1,2}.mycompany.com for the cn and that value as well as ldap.mycompany.com as DNS entries in the subjAltName. tls_cacertfile points to a single CA cert file (although I thought it supported concatenated certs) containing the cert for the CA which issued the ldap replica certs and keys. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
