[Fedora-directory-users] Failover and SSL

Jonathan Barber jon at compbio.dundee.ac.uk
Wed Jul 18 11:10:35 UTC 2007 

On Wed, Jul 18, 2007 at 11:33:59AM +0200, Rubin wrote:
> Hi all!
> 
> I'm trying to figure out how to handle high availability in           
> combination with ssl. I have ssl working for both clients and
> server to server connections. The problem is that i would like to
> give a client only one ip/fqdn for the ldap server, like
> ldap.example.com and manage failover to a second ldap multimaster
> machine by bringing up that ip or switching the dns entry of the
> fqdn to the at that moment designated as active ldap server.

You have to bring up the machine with the same IP, clients may be
caching the DNS results - so unless you've set the DNS TTL very low,
clients may still reference the old IP.

> The problem lies in the fact that the certificate on the client
> has a dn that has to match the hostname to be contacted (ie.
> ldap.example.com) but i don't want to have identical certificates
> on the ldap servers (if the dn does not match the hostname to be contacted,
> connection will fail, verified with openssl).
> 
> So how can you have a client contact ldap.example.com with ssl enabled
> while having the ability to switch ldap.example.com between two machines
> without douing something evilish like having identical certificates for
> both ldap servers? How are others handling these things?

I don't understand why this is evil. If the connection is to the FQDN
that's reference in the x509 cert, then it will pass that part of the
validation chain, no matter what IP the host is on.

> The reason i want to do failover this way has to do with wanting
> to avoid the posibility of possible conflicts when having the
> ability to write to 2 masters at the same time.

The situation I have is:
ldap
ldap1
ldap2

Where ldap is a virtual IP for one of either ldap{1,2}. They have the
same x509 certificate on each host, with the subject cn=ldap, and a
subjectAltName for ldap1 and ldap2. This way it doesn't matter if the
host is being refered to as ldap/ldap1/ldap2, it all just works (in
production with a varity of linux distros).

> Thanks for any pointers and/or eyeopeners!
> 
> Grtz,
> 
> Rubin.
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

More information about the 389-users mailing list