On 09/08/2012 07:29 PM, Tom Tucker wrote:
I have two 389 servers and a RHEL 6 sssd configured client. LDAP and
LDAPS authentication is working against these identical DS. My
questioned in centered around client side certificate handling.
Is it possible to reference multiple server certs from
/etc/openldap/cacerts? For example, if my primary server devldaps4901
is unreachable connect to devldap4902 using its cert located in
/etc/openldap/cacerts (see below)?
I am able to fail over manually if I deleted the ee8c0644.0 hash and
recreate it pointing to devldaps4902 along with an sssd restart. Am I
missing something obvious here or is my approach all wrong?
Yes. Clients do not need to know anything about server certs. The only
thing the clients need to know is the CA cert.
Thank you,
Rich,
Thanks for the setupssl2.sh script. It worked great!
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri =
ldaps://devldaps4901.autotrader.com
<
http://devldaps4901.autotrader.com>,ldaps://devldaps4902.autotrader.com
<
http://devldaps4902.autotrader.com>
[root@rhel6-client cacerts]# ls -l
total 8
-rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4901.asc
-rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4902.asc
lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.0 -> devldaps4901.asc
lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.1 -> devldaps4902.asc
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users