Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover
so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream
fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client
side: required Hostname from client is ldapha.xxx, stream is load balanced by
KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not
include ldapha.xxx => TLS handshake failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above
but is it recommended/supported? When FreeIPA software will be updated is this
SAN configuration will be persistent?
What is the best/recommended solution to cover this need?
Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
