4:33 a.m.
Hi all!
I'm trying to figure out how to handle high availability in
combination with ssl. I have ssl working for both clients and
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.
The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).
So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?
The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.
Thanks for any pointers and/or eyeopeners!
Grtz,
Rubin.
6:10 a.m.
On Wed, Jul 18, 2007 at 11:33:59AM +0200, Rubin wrote:
Hi all!
I'm trying to figure out how to handle high availability in
combination with ssl. I have ssl working for both clients and
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.
You have to bring up the machine with the same IP, clients may be
caching the DNS results - so unless you've set the DNS TTL very low,
clients may still reference the old IP.
The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).
So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?
I don't understand why this is evil. If the connection is to the FQDN
that's reference in the x509 cert, then it will pass that part of the
validation chain, no matter what IP the host is on.
The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.
The situation I have is:
ldap
ldap1
ldap2
Where ldap is a virtual IP for one of either ldap{1,2}. They have the
same x509 certificate on each host, with the subject cn=ldap, and a
subjectAltName for ldap1 and ldap2. This way it doesn't matter if the
host is being refered to as ldap/ldap1/ldap2, it all just works (in
production with a varity of linux distros).
Thanks for any pointers and/or eyeopeners!
Grtz,
Rubin.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
2:05 a.m.
Hi Rubin,
You can achieve this very easily. Just setup a CA and have your servers'
certificates signed by your CA. Then copy the CA certificate to your
clients (/etc/openldap/cacerts) and you are done.
Andreas
Rubin wrote:
Hi all!
I'm trying to figure out how to handle high availability in
combination with ssl. I have ssl working for both clients and
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.
The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).
So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?
The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.
Thanks for any pointers and/or eyeopeners!
Grtz,
Rubin.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
6120
days inactive
6125
days old
389-users@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Andreas Kekkou -
Jonathan Barber -
Rubin