[email protected] wrote: > Full_Name: Stepan Kipel > Version: 2.4.19 > OS: Red Hat Enterprise Linux AS release 4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (79.140.224.210) > > > In our network there are 2 servers running slapd, one is syncrepl-provider and > other is consumer. Both have identical IP address for LDAP requests and > configured in manner that when one goes down, second takes over (configured > externally, by routing). Also, TLS is configured and works transparently for > client machines (DNS resolves their "common" IP), but it`s hard to use their > Domain Name for TLS syncrepl - DNS resolves IP, that is up on local machine. > We > decided to put up other interface on syncrepl-provider for replication > purposes, > mapped another Domain Name on this interface and appended CA, server and > private > server certs created for this Domain Names to files included by > TLSCACertificateFile, TLSCertificateFile and TLSCertificateKey in slapd.conf > file, respectively. We`ve tried to execute ldapsearch with two different > ldap.conf configs - for first and second domain name of the server, one works > and another - not? error looks like "TLS: hostname (first_srv_name) does not > match common name in certificate (second_srv_name)." > > The question is - can slapd server use more than 2 server certificates or we > should use another technology (tunneling, etc...) for encrypted syncrepl? > A server cert file and key file may only contain one item; that's a constraint from the underlying TLS library. You should not have needed to create a new CA for this situation. You should look at using a single server cert with a subjectAltName matching the the alternate interface name.
The ITS is for bug reports, not for hetting help on using the software. This ITS will be closed. Use the -software mailing list. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
