I have two 389 servers and a RHEL 6 sssd configured client.  LDAP and LDAPS authentication is working against these identical DS.  My questioned in centered around client side certificate handling. 

 

Is it possible to reference multiple server certs from /etc/openldap/cacerts?  For example, if my primary server devldaps4901 is unreachable connect to devldap4902 using its cert located in /etc/openldap/cacerts (see below)?

 

I am able to fail over manually if I deleted the ee8c0644.0 hash and recreate it pointing to devldaps4902 along with an sssd restart.  Am I missing something obvious here or is my approach all wrong? 

 

Thank you,

 

 

Rich,

Thanks for the setupssl2.sh script.  It worked great!

 

 

 

 

ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com

  

[root@rhel6-client cacerts]# ls -l

total 8

-rw-r--r--. 1 root root 647 Sep  8 16:02 devldaps4901.asc

-rw-r--r--. 1 root root 647 Sep  8 16:02 devldaps4902.asc

lrwxrwxrwx. 1 root root  16 Sep  8 19:13 ee8c0644.0 -> devldaps4901.asc

lrwxrwxrwx. 1 root root  16 Sep  8 19:13 ee8c0644.1 -> devldaps4902.asc