I currently have a working openldap/tls/sssd setup with one ldap server. I'm using self signed server side and client side certificates and the CA for the certificates happens to live on the openldap server. This is, obviously, fraught with peril if the openldap server dies! So, I've setup a second server as a replica server and I want to be able to have my sssd clients failover to the replica if the primary goes away. Thus far, my testing has been unsuccessful. I've cut a server cert for the new server but when I try to use the secondary server as the authorized ldap server I get errors like:
additional info: TLS: hostname does not match CN in peer certificate With my working setup I specify the ldap_tls_cacert, ldap_tls_cert, and ldap_tls_key in my sssd.conf, in my ldap.conf, and in my .ldaprc and authentication works and ldapsearch works (with starttls). If I change my ldap_tls_cert and key stuff to point to my 2nd server keys, everything fails. I'm not sure how to get this working. Ultimately, I'm going to have 4 total ldap servers, 2 each in disparate regions of the country, one of which is the "master" and the 3 others replicas. Any and all help appreciated as I'm very confused at this point. Thanks. Kevin Martin _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
