To avoid all this name problems and to keep things simple I use a wildcard certificate.
This cert is also used on the real servers and on the load balancer. The clients talk only the a load balancer. Where I have 2 ip addresses. One for ldapwrite.domain.com and one for ldapread.domain.com The load balancer terminates the ssl connection for port 636 and creates a new session to the backend server. The reason that I have also the wildcard cert also on the backend servers is for secure connections over 389. The load balancer doesn't speak the ldap protocol, so if a client is doing a starttls he would get the cert from the real server. If 389 is not needed, then I think 1 or 2 certs on a load balancer would be enough. The replication works also with self-signed certs if configured correctly. -- Marco On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote: > Still not sure how you did it. Are you saying you set the same certificate in > slapd and played with DNS to make it look like only one server(URL) to > everyone? > > Thanks, > Daniel > > On 11-08-26 4:03 PM, Chris Jacobs wrote: >> >> What I did: >> * setup servers behind VIP >> * obtain cert with primary name of vip DNS w/ secondary names of the servers. >> >> That way, the servers can sync/tryst each other via the same cert used by >> clients. >> >> Note: some clients (lookin at you Firefox) won't use the primary name if >> subjectaltname exists - so include primary name in the alt names JIC. >> >> - chris >> >> Chris Jacobs, Systems Administrator, Technology Services Group >> Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. >> 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 >> direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 >> email [email protected] >> >> From: [email protected] >> <[email protected]> >> To: [email protected] <[email protected]> >> Sent: Fri Aug 26 12:49:04 2011 >> Subject: Syncrepl over TLS for mirrormode >> >> From the openldap website the two nodes have to use different URLs like >> below: >> >> syncrepl rid=001 >> provider=ldap://ldap-sid2.example.com >> bindmethod=simple >> binddn="cn=mirrormode,dc=example,dc=com" >> credentials=mirrormode >> searchbase="dc=example,dc=com" >> schemachecking=on >> type=refreshAndPersist >> retry="60 +" >> and >> syncrepl rid=001 >> provider=ldap://ldap-sid1.example.com >> bindmethod=simple >> binddn="cn=mirrormode,dc=example,dc=com" >> credentials=mirrormode >> searchbase="dc=example,dc=com" >> schemachecking=on >> type=refreshAndPersist >> retry="60 +" >> >> I can set two different certificates so that TLS is fine for sync between >> the two nodes. However we will have regular Ldap client access these two >> nodes behind a loadbalancer over TLS too. Obviously the client can't connect >> with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the >> solution to this scenario? Setup a pool of consumers with same hostname? >> >> Thanks, >> Daniel >> >> This message is private and confidential. If you have received it in error, >> please notify the sender and remove it from your system. >> >
