<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/08/2012 07:29 PM, Tom Tucker wrote:
<blockquote
cite="mid:CAGymF1A8=yspHQFrX7b6ip465gmzTWtJeuRpTaz_re3jXTkLzA@mail.gmail.com"
type="cite"><br>
<div>
<p class="MsoNormal">I have two 389 servers and a RHEL 6 sssd
configured client. LDAP and LDAPS authentication is working
against
these identical DS. My questioned in
centered around client side certificate handling. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Is it possible to reference multiple server
certs from /etc/openldap/cacerts? For example, if my primary
server
devldaps4901 is unreachable connect to devldap4902 using its
cert located in
/etc/openldap/cacerts (see below)?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am able to fail over manually if I
deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an
sssd restart. Am I missing something obvious here or is my
approach all wrong? </p>
</div>
</blockquote>
Yes. Clients do not need to know anything about server certs. The
only thing the clients need to know is the CA cert.<br>
<blockquote
cite="mid:CAGymF1A8=yspHQFrX7b6ip465gmzTWtJeuRpTaz_re3jXTkLzA@mail.gmail.com"
type="cite">
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thank you, </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Rich,</p>
<p class="MsoNormal">Thanks for the setupssl2.sh script. It
worked great!</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">ldap_tls_cacertdir = /etc/openldap/cacerts</p>
<p class="MsoNormal">ldap_uri = <a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><a
moz-do-not-send="true"
href="http://devldaps4901.autotrader.com">devldaps4901.autotrader.com</a>,<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><a
moz-do-not-send="true"
href="http://devldaps4902.autotrader.com">devldaps4902.autotrader.com</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">[root@rhel6-client cacerts]# ls -l</p>
<p class="MsoNormal">total 8</p>
<p class="MsoNormal">-rw-r--r--. 1 root root 647 Sep 8 16:02
devldaps4901.asc</p>
<p class="MsoNormal">-rw-r--r--. 1 root root 647 Sep 8 16:02
devldaps4902.asc</p>
<p class="MsoNormal">lrwxrwxrwx. 1 root root
16 Sep 8 19:13 ee8c0644.0 ->
devldaps4901.asc</p>
<p class="MsoNormal">lrwxrwxrwx. 1 root root
16 Sep 8 19:13 ee8c0644.1 ->
devldaps4902.asc</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>