Prashanth Sundaram wrote: > Rich, > > I specify the individual host?s FQDN in the replication agreement. So, ldap01.domain.com ? Maybe openldap/openssl has a problem with subjectAltName? Try mozldap ldapsearch instead like this: /usr/lib/mozldap/ldapsearch -h FQDN -ZZZ -P /etc/dirsrv/slapd-instance -s base -b "" "objectclass=*" > I use haproxy for LB, so the hosts are in ACTIVE-PASSIVE state. > > > Prashanth Sundaram wrote: > > Hi All, > > Which one of the case below is suitable for a Multi-Master > replication. I have a load balancer with/ ldap.domain.com,/ which > is what clients will use to authenticate. > > *_Question: > _*Which one is a better implementation? What are the trade-offs? > Please input your feedback as it might be useful for someone > coming this way later. This can serve as a knowledge bank. > > Case-I > ldap01: server-cert with cn=ldap01.domain.com, > subjAltName=ldap.domain.com > ldap02: server-cert with cn=ldap02.domain.com, > subjAltName=ldap.domain.com > -MMR with tls throws error when ?*Check hostname against name in > certificate for outbound SSL connections?* option is enabled. But > RH recommends it to be turned ON. > > What is the FQDN you specified in the replication agreement? > > > Case-II > ldap01: server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com, ldap02.domain.com ldap01: > server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com,ldap02.domain.com -Does not comply > with the requirement that ?server-cert? should have hostname as > cn.I found this method working perfectly fine. > > *Knowledge Sharing: > *Here?s a useful link which I use all the time and look before > posting to the list. This is the archive for the mailing list and > has /search/ feature which very useful. > > http://www.mail-archive.com/fedora-directory-users redhat > com/info.html > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > [Date Prev > <https://www.redhat.com/archives/fedora-directory-users/2010-January/msg00006.html> > ][Date Next > <https://www.redhat.com/archives/fedora-directory-users/2010-January/msg00008.html> > ] [Thread Prev > <https://www.redhat.com/archives/fedora-directory-users/2010-January/msg00006.html> > ][Thread Next > <https://www.redhat.com/archives/fedora-directory-users/2010-January/msg00008.html> > ] [Thread Index > <https://www.redhat.com/archives/fedora-directory-users/2010-January/thread.html#00007> > ] [Date Index > <https://www.redhat.com/archives/fedora-directory-users/2010-January/date.html#00007> > ] [Author Index > <https://www.redhat.com/archives/fedora-directory-users/2010-January/author.html#00007> > ] > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
