On Fri, Feb 05, 2016 at 09:14:10PM -0000, Kevin Martin wrote: > I currently have a working openldap/tls/sssd setup with one ldap server. I'm > using self signed server side and client side certificates and the CA for the > certificates happens to live on the openldap server. This is, obviously, > fraught with peril if the openldap server dies! So, I've setup a second > server as a replica server and I want to be able to have my sssd clients > failover to the replica if the primary goes away. Thus far, my testing has > been unsuccessful. I've cut a server cert for the new server but when I try > to use the secondary server as the authorized ldap server I get errors like: > > additional info: TLS: hostname does not match CN in peer certificate > > With my working setup I specify the ldap_tls_cacert, ldap_tls_cert, and > ldap_tls_key in my sssd.conf, in my ldap.conf, and in my .ldaprc and > authentication works and ldapsearch works (with starttls). If I change my > ldap_tls_cert and key stuff to point to my 2nd server keys, everything fails. > I'm not sure how to get this working. Ultimately, I'm going to have 4 total > ldap servers, 2 each in disparate regions of the country, one of which is the > "master" and the 3 others replicas. Any and all help appreciated as I'm very > confused at this point.
This is a bit off-topic for this list, but I think a better way to be to trust the CA that issues the certs for your servers.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
