--- George Holbert <gholbert(a)broadcom.com> wrote:
> Uhm...I can try, but in that case, is it possible that I've
a problem
> with replication ?
I don't think so. I've noticed that replication agreements over SSL
don't seem to care about hostname / CN matching, although they do check
that the CA is trusted. If I have the wrong impression on this, someone
please say so :).
Guys,
you shouldn't have to do this. This is what I have in my cert DB:
[root@cnyldap01 alias]# ../shared/bin/certutil -L -d .
CA certificate CTu,u,u
NJ-Server-Cert u,u,u
NJ-admin-server-cert u,u,u
NY-Server-Cert u,u,u
NY-admin-server-cert u,u,u
I then sent the cert8.db & key3.db over to the other server, setup the replication
agreements back
& forth and voila! Basically, I shoved all my certs in 1 DB and blasted that
everywhere.
Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP,
ldap.com
and your outside
clients talk to
ldap.com and your certs are signed with node1 & node2 then I'm
guessing SSL
verification will fail. You're trying to talk to
ldap.com but your certs are signed
with node1/2
-- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of
the FDS
servers, something that will impersonate
ldap.com, return a cert for
ldap.com and then
turn around
and encrypt the traffic again, passing it to either node1 or node2. A cute little problem
is what
to do when the ssl proxy fails? :)
The thing is like this. What is the problem you are trying to solve? Why have two FDS
servers in
1 location? Why have the virtual IP? It really doesn't buy you a whole lot. Have 2
FDSs if you
insist but then list all of them in the clients' ldap.conf -- no problem.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com