On 09/08/2012 07:29 PM, Tom Tucker wrote:
I have two 389 servers and a RHEL 6 sssd
configured client. LDAP and LDAPS authentication is working
against
these identical DS. My questioned in
centered around client side certificate handling.
Is it possible to reference multiple server
certs from /etc/openldap/cacerts? For example, if my primary
server
devldaps4901 is unreachable connect to devldap4902 using its
cert located in
/etc/openldap/cacerts (see below)?
I am able to fail over manually if I
deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an
sssd restart. Am I missing something obvious here or is my
approach all wrong?
Yes. Clients do not need to know anything about server certs. The
only thing the clients need to know is the CA cert.
Thank you,
Rich,
Thanks for the setupssl2.sh script. It
worked great!
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com
[root@rhel6-client cacerts]# ls -l
total 8
-rw-r--r--. 1 root root 647 Sep 8 16:02
devldaps4901.asc
-rw-r--r--. 1 root root 647 Sep 8 16:02
devldaps4902.asc
lrwxrwxrwx. 1 root root
16 Sep 8 19:13 ee8c0644.0 ->
devldaps4901.asc
lrwxrwxrwx. 1 root root
16 Sep 8 19:13 ee8c0644.1 ->
devldaps4902.asc
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
