Re: Failover and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Rubin,
You can achieve this very easily. Just setup a CA and have your servers' certificates signed by your CA. Then copy the CA certificate to your clients (/etc/openldap/cacerts) and you are done. 

Andreas

Rubin wrote:

Hi all!
I'm trying to figure out how to handle high availability in combination with ssl. I have ssl working for both clients and 
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.

The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).

So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?

The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.

Thanks for any pointers and/or eyeopeners!

Grtz,

Rubin.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


begin:vcard
fn:Andreas Kekkou
n:Kekkou;Andreas
org:University of Cyprus;Department of Computer Science
adr:;;;Lefkosia;;;Cyprus
email;internet:kekkou.a@xxxxxxxxxxxx
title:Systems Administration Officer
tel;work:+357 22892728
tel;fax:+357 22892701
x-mozilla-html:TRUE
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux