Benjamin,
The SSL certificate is created for a "name" ("Common Name" during the creation). Usually a host
name. So you create your SSL certificate for ldap.example.com or www.example.com.
I know there are better tutorials on SSL, creating your own CA and signing your certificates, but if
you want to play with all of this, check my really old and outdated openldap howto page:
http://www.math.gatech.edu/~dijuremo/ldap/
Specifically the SSL Certificates link:
http://www.math.gatech.edu/~dijuremo/ldap/caframes.html
Remember, this is really old, and maybe not so user friendly as other current
tutorials.
Diego
Benjamin Watine wrote:
Hi Diego
Thanks a lot for your answer. I was thinking that ssl certificate was
linked to the physical server (with serial number, conf or other), and
couldn't be shared between real servers so easily. If you say me that
you did it for apache-ssl, so that's not the case !
Thanks again
Ben
Diego Julian Remolina a écrit :
This is pretty straight forward. You create the certificate for the
virtual hostname, not your primary and secondary nodes, then you can
either put it on both servers on /etc/ssl or on the drbd partition,
this is just a matter of preference.
You need DNS entries as follows (this is an example, you will use your
real IP addresses):
node1.example.com 192.168.1.11
node2.example.com 192.168.1.12
www.example.com 192.168.1.10 (This is the shared IP which the nodes
can take over and which will be published on DNS for your website)
You create your SSL certificates for www.example.com, not for
node1.example.com nor node2.example.com.
Next, you put it in your drbd partition and then create an ssl
configuration for apache that points to the appropriate location for
the ssl file.
That way, whichever node is up, node1 or node2, will read the SSL
certificate for www.example.com from the same place and it will work
just fine.
In my case, I have the drbd partition mounted on /web on my web
server. I then have all the apache configuration files under
/web/etc/httpd and basically whichever host takes over the virtual IP
(active/passive configuration), will be able to read the
configurations, certificates and web server files.
For ldap, it is the same thing, except your hostname to virtual ip
mapping is:
ldap.example.com points to the virtual IP of your choosing. Then all
your ldap clients use ldap.example.conf in their ldap configuration.
HTH,
Diego
Benjamin Watine wrote:
Hi
I'm using heartbeat and drbd for openLDAP, and I would like to use
TLS on it. So I have to create cretificate and key files. But I would
like to have the same certificate on both node that run openLDAP.
Is there is a known way to do that ? Can I put certificate in drbd
volume and share it accross the 2 openLDAP servers ?
I think the problem is the same for apache-ssl, maybe there a good
known solution.
Regards
Benjamin
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
--
Diego Julian Remolina
System Administrator - Systems Support Specialist III
Institute for Bioengineering and Bioscience
Georgia Institute of Technology
Phone (404) 385-0127
Fax (404) 894-2291
315 Ferst Drive
Atlanta, GA 30332-0363
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
