[Fedora-directory-users] Failover and SSL
Rubin
rubin at xs4all.nl
Wed Jul 18 09:33:59 UTC 2007
Hi all!
I'm trying to figure out how to handle high availability in
combination with ssl. I have ssl working for both clients and
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.
The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).
So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?
The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.
Thanks for any pointers and/or eyeopeners!
Grtz,
Rubin.
More information about the 389-users
mailing list