I am using FreeIPAv4, some of clients products does not support LDAP failover 
so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream 
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA 
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.

Everything works as excepted except TLS certificate verification on client 
side: required Hostname from client is ldapha.xxx, stream is load balanced by 
KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not 
include ldapha.xxx => TLS handshake failed.

nssdb certificate request:
 Request ID 'yyy':
        status: MONITORING
        stuck: no
        key pair storage: 
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
Certificate DB'
        CA: IPA
        issuer: xxxx
        subject: CN=ds02.xxxx
        expires: 2019-03-24 13:33:31 UTC
        key usage: 
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
        track: yes
        auto-renew: yes

ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx

Add new SAN in default LDAP certificate in nssdb is possible with command above 
but is it recommended/supported? When FreeIPA software will be updated is this 
SAN configuration will be persistent?
What is the best/recommended solution to cover this need?

Thank you for your help


IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to