Yes I wasn't aware of subjectAltName and I am still not sure if nss_ldap
in the OS honors that but I will test it out. Thanks Chris for answering
back.
On 11-08-27 4:23 PM, Chris Jacobs wrote:
Apologies for taking a while (and top posting - blackberry).
1)I setup the mirror-mode servers behind a VIP (named ldapmaster1 &
2). VIP hosted on an F5 BigIP - which doesn't load balance StartTLS -
which was fine by us - all 389 connections are insecure and all 686
(?) are secure.
2) I created a cert via a CA trusted on all my client machines with:
2.A) Subject: ldap-vip.[domain]
2.B) subjectAltName(s): ldapmaster1.[domain], ldapmaster2.[domain],
ldap-vip.[domain]
(Subject included in alt name list as some clients - like firefox -
ignore the subject if alt names exist - dumb IMNSHO.)
Then the servers use the same cert to sync w/ each other as the
clients use to connect to the VIP (or if needed, directly to the
ldapmaster servers).
The subjectAltName part of a cert is the 'tricky' part I think you're
missing knowledge of.
A wildcard cert works too, but then it'd be valid for any host
*.[domain]. Not the most secure setup.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc.
2001 6th Ave | Suite 3200 | Seattle, WA 98121
direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106
email [email protected]
------------------------------------------------------------------------
*From*: Daniel Qian <[email protected]>
*To*: Chris Jacobs
*Cc*: '[email protected]' <[email protected]>
*Sent*: Fri Aug 26 13:35:10 2011
*Subject*: Re: Syncrepl over TLS for mirrormode
Still not sure how you did it. Are you saying you set the same
certificate in slapd and played with DNS to make it look like only one
server(URL) to everyone?
Thanks,
Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/ secondary names of the
servers.
That way, the servers can sync/tryst each other via the same cert
used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name
if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing and Product Development� |�
Aptimus, Inc.
2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121
direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106
email [email protected]
------------------------------------------------------------------------
*From*: [email protected]
<[email protected]>
*To*: [email protected] <[email protected]>
*Sent*: Fri Aug 26 12:49:04 2011
*Subject*: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs
like below:
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
and
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
I can set two different certificates so that TLS is fine for sync
between the two nodes. However we will have regular Ldap client
access these two nodes behind a loadbalancer over TLS too. Obviously
the client can't connect with ldap-sid2.example.com, nor with
ldap-sid1.example.com. So what is the solution to this scenario?
Setup a pool of consumers with same hostname?
Thanks,
Daniel
------------------------------------------------------------------------
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
------------------------------------------------------------------------
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
