Our clients are mainly nss_ldap connecting with starttls so looks like
our best bet is either wildcard cert or SubjectAltName. SubjectAltName
seems a bit more complicated to do, as in openssl I will have to edit
the openssl.cnf file and add all the hostnames and recreate the CSR. We
use a local CA here for signing all the certificates used in protected
communications.
Thanks,
Daniel
On 11-08-27 3:45 PM, Marco Schirrmeister wrote:
To avoid all this name problems and to keep things simple I use a
wildcard certificate.
This cert is also used on the real servers and on the load balancer.
The clients talk only the a load balancer. Where I have 2 ip
addresses. One for ldapwrite.domain.com <http://ldapwrite.domain.com>
and one for ldapread.domain.com <http://ldapread.domain.com>
The load balancer terminates the ssl connection for port 636 and
creates a new session to the backend server.
The reason that I have also the wildcard cert also on the backend
servers is for secure connections over 389.
The load balancer doesn't speak the ldap protocol, so if a client is
doing a starttls he would get the cert from the real server.
If 389 is not needed, then I think 1 or 2 certs on a load balancer
would be enough.
The replication works also with self-signed certs if configured correctly.
--
Marco
On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote:
Still not sure how you did it. Are you saying you set the same
certificate in slapd and played with DNS to make it look like only
one server(URL) to everyone?
Thanks,
Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/ secondary names of the
servers.
That way, the servers can sync/tryst each other via the same cert
used by clients.
Note: some clients (lookin at you Firefox) won't use the primary
name if subjectaltname exists - so include primary name in the alt
names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing and Product Development� |�
Aptimus, Inc.
2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121
direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106
email [email protected]
------------------------------------------------------------------------
*From*: [email protected]
<[email protected]>
*To*: [email protected] <[email protected]>
*Sent*: Fri Aug 26 12:49:04 2011
*Subject*: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs
like below:
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
and
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
I can set two different certificates so that TLS is fine for sync
between the two nodes. However we will have regular Ldap client
access these two nodes behind a loadbalancer over TLS too. Obviously
the client can't connect with ldap-sid2.example.com
<http://ldap-sid2.example.com>, nor with ldap-sid1.example.com
<http://ldap-sid1.example.com>. So what is the solution to this
scenario? Setup a pool of consumers with same hostname?
Thanks,
Daniel
------------------------------------------------------------------------
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
