eastldap0
- eastldap0.test.com cert
- eastldap.test.com cert
...
Each running FDS server instance will have just one SSL certificate.
If you want your server to identify with multiple names, you can either:
- Do a cert with subjectAltName extensions.
- Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com).
LDAP / SSL client support for these varies, so you will probably want to
test both ways and see what works with better with your clients.
If it works for you, the subjectAltName method is probably preferable,
because you can precisely list the valid names for your server.
Also, consider keeping it simple and just doing certs with single names
(e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'),
and installing that same cert on each server which should have that SSL
identity. This is actually a pretty common way to do it, though it will
limit your ability to make SSL connections to individual nodenames, like
eastldap0.test.com (as you noticed).
Ryan Braun wrote:
Hey guys, installed FDS on a couple debian servers this week and am liking it
so far. I have a couple questions regarding SSL/TLS setup with servers setup
for IP takeover type HA setup. Keep in mind I have some experience with the
LDAP side of things, it's the ssl and all the different certs and whatnot
that keeps me up at night.
Essentially what I'm looking at is a 4 way multimaster setup, ending up with
2 HA pairs of servers. call them eastldap and westldap. I've implemented
the east side in my test lab and have it replicating and can pull any user
info I need off the directory no problem.
so
eastldap0.test.com ip 192.168.0.11
eastldap1.test.com ip 192.168.0.12
and the virtual interface on whichever machine is master would be
eastldap.test.com ip 192.168.0.10
and then the exact same setup with the last 2
westldap0.test.com ip 192.168.1.11
westldap1.test.com ip 192.168.1.12
westldap.test.com ip 192.168.1.10
Once everything is setup and running clients would be primarily only
connecting to either virtual interface west/eastldap using TLS over port 389
and the 4 masters replicating with encryption (not sure but I imagine this
takes place on ldaps port).
I followed the instructions on the howto:ssl page and created a cert located
on eastldap0. But instead of using the eastldap0.test.com as the cn, I used
eastldap.test.com. Cert installed ok, made sure eastldap0 was the HA master
and restarted fds.
When I copied over the cacert to a linux client, I can run searches using
ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs confirm
everything is coming back encrypted. It seems to be behaving as expected,
when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with error 11
additional info: TLS: hostname does not match CN in peer certificate, which
is right as the name in the cert is eastldap.test.com.
So it would appear I'm on my way, I just am not sure about what certs I need
now, and how to add them properly. I would think I need at the very least
eastldap0
- eastldap0.test.com cert
- eastldap.test.com cert
eastldap1
- eastldap1.test.com cert
- eastldap.test.com cert
westldap0
- westldap0.test.com cert
- westldap.test.com cert
westldap1
- westldap1.test.com cert
- westldap.test.com cert
I'm just not sure if that is the proper way to go about it. Also, I would
like to have the clients to be able to have all the cacerts to be able to
communicate with all virtual and physical address' if need be. Later on, I
would be adding probably 5 or 6 consumer read only replicas inbetween the
suppliers and the clients, but one must walk before they run I guess :)
Long post I know, just trying to make sure I get all the important stuff out
there. Be kind if I was using the incorrect terminology for the
certs/cacerts :)
Ryan
PS. anyone have a good SSL for dummies reference that lays out what the heck
is going on with SSL (pems,keys,certs,cacerts etc)
--
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
