On 5/12/2014 9:53 AM, Elizabeth Jones wrote:
Do the certs have to have the server hostnames in them or can I create a
cert that has a virtual name and put that on all the LDAP servers?
If I understand the scenario : you are using a LB that passes through
SSL traffic to the LDAP servers without terminating the SSL sessions
(packets come in from clients, and are sent to the LDAP server of choice
untouched by the LB). In that case you can deploy a cert on all the LDAP
servers with the virtual hostname the client use to make their
connections to the LB. The clients will validate the cert presented
because its hostname matches the one they used to make the connection.
However, note that any LDAP client that needs to make a connection to a
specific server (bypassing the LB) will now see the "wrong" hostname and
hence fail the certificate host name check. (e.g. replication traffic
from other servers).
A wild card host name may be a good solution in this case.
There may be a way to get the LDAP server to present different
certificates depending on the source IP (hence avoiding the need for a
wildcard cert), but I don't remember such a feature existing off the top
of my head.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
