[389-users] SSL - Multiple Server Certs
Rich Megginson
rmeggins at redhat.com
Mon Sep 10 15:09:57 UTC 2012
On 09/08/2012 07:29 PM, Tom Tucker wrote:
>
> I have two 389 servers and a RHEL 6 sssd configured client. LDAP and
> LDAPS authentication is working against these identical DS. My
> questioned in centered around client side certificate handling.
>
> Is it possible to reference multiple server certs from
> /etc/openldap/cacerts? For example, if my primary server devldaps4901
> is unreachable connect to devldap4902 using its cert located in
> /etc/openldap/cacerts (see below)?
>
> I am able to fail over manually if I deleted the ee8c0644.0 hash and
> recreate it pointing to devldaps4902 along with an sssd restart. Am I
> missing something obvious here or is my approach all wrong?
>
Yes. Clients do not need to know anything about server certs. The only
thing the clients need to know is the CA cert.
>
> Thank you,
>
> Rich,
>
> Thanks for the setupssl2.sh script. It worked great!
>
> ldap_tls_cacertdir = /etc/openldap/cacerts
>
> ldap_uri = ldaps://devldaps4901.autotrader.com
> <http://devldaps4901.autotrader.com>,ldaps://devldaps4902.autotrader.com
> <http://devldaps4902.autotrader.com>
>
> [root at rhel6-client cacerts]# ls -l
>
> total 8
>
> -rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4901.asc
>
> -rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4902.asc
>
> lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.0 -> devldaps4901.asc
>
> lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.1 -> devldaps4902.asc
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120910/4158bba8/attachment.html>
More information about the 389-users
mailing list