[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: Q: OpenLDAP In A 'Heartbeat' Cluster

To: openldap-software@OpenLDAP.org
Subject: RE: Q: OpenLDAP In A 'Heartbeat' Cluster
From: Tim Robbins <Tim.Robbins@ChoicePointPRG.net>
Date: Fri, 7 Mar 2003 09:18:58 -0500
This worked *GREAT*.

Thanks for the help,
Tim

-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Friday, March 07, 2003 6:08 AM
To: 'Turbo Fredriksson'; openldap-software@OpenLDAP.org
Subject: RE: Q: OpenLDAP In A 'Heartbeat' Cluster


In OpenSSL I use these lines in my openssl.cnf file:
###
DNSNAME = $ENV::DNSNAME
IPADDR = $ENV::IPADDR
###

In the [ usr_cert ] section
###
subjectAltName=DNS:$DNSNAME,IP:$IPADDR
###

You must set the DNSNAME and IPADDR environment variables before running the
CA app to generate/sign the cert. If you need to specify additional names,
use separate environment variables for each.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson
> Sent: Friday, March 07, 2003 1:15 AM
> To: openldap-software@OpenLDAP.org
> Cc: Tim Robbins
> Subject: Re: Q: OpenLDAP In A 'Heartbeat' Cluster
>
>
> [let's keep it on the OpenLDAP list]
>
> Quoting Tim Robbins <Tim.Robbins@ChoicePointPRG.net>:
>
> > Sounds like my immediate solution would then be
> > to build each machine with the same `hostname`
> > and use the same cert.
> >
> > Only caveat would be that if I wanted to look at
> > a particular servers database, I would either have
> > to do this unencrypted or physically log onto the
> > machine and query directly.
> >
> > We are looking at the cluster for pure HA and not
> > necessarilly to offload any workload.
>
> Why do it that way? I'm using BOTH my LDAP servers (and I'm building
> more) in a round-robin setup. This give me the possibility to use
> both (or more) machines full potential.
>
> In the DNS:
>
>         ----- s n i p -----
>         ldap1   IN A 192.168.1.4
>         ldap2   IN A 192.168.1.5
>         ldap3   IN A 192.168.1.6
>         ; Round-robin
>         ldap    IN A 192.168.1.4
>                 IN A 192.168.1.5
>                 IN A 192.168.1.6
>         ----- s n i p -----
>
> This way, every time you're accessing 'ldap.domain.ltd', it will
> query a random ldap? server. Oki, you still have the problem with
> the cert name...
>
> I have setup the server cert to contain the ldap? entries, so I
> can't really query 'ldap.domain.ltd' through SSL. I haven't figured
> out how to create an alias in the cert, but at least I can use
> (or take down!) any server I like, without interrupting queries...
>
>
> > -----Original Message-----
> > From: Turbo Fredriksson [mailto:turbo@bayour.com]
> > Sent: Thursday, March 06, 2003 12:39 PM
> > To: openldap-software@OpenLDAP.org
> > Subject: Re: Q: OpenLDAP In A 'Heartbeat' Cluster
> >
> >
> > >>>>> "Tim" == Tim Robbins <Tim.Robbins@ChoicePointPRG.net> writes:
> >
> >     Tim> I am currently running OpenLDAP and replicating
> successfully
> >     Tim> from node 'A' to node 'B'.  I have installed the HA-Linux
> >     Tim> "heartbeat" cluster SW and successfully and fail over my
> >     Tim> logical IP address.  I am using TLS and can reach
> both nodes
> >     Tim> successfully using GQ with TLS enabled.  When I try and
> >     Tim> connect to the logical node, it errors saying that hostname
> >     Tim> does not match.  I have generated a seperate
> certifcate using
> >     Tim> the logical name and appended it to the cert file that is
> >     Tim> loaded in the slapd.conf.
> >
> >     Tim> Is there anything else I have missed with regards to my
> >     Tim> configuration?
> >
> > No. This is 'expected' behaviour... If you have the same
> cert on both
> > hosts, say it's for host 'ldap.domain.tld', then as long as you're
> > refering to the LDAP server as 'ldap.domain.tld' is ok. But
> when you're
> > trying to reference the hosts individually
> ('ldap1.domain.tld' and/or
> > 'ldap2.domain.tld' for example), then naturaly the FQDN of the cert
> > won't match...
> >
> > It should be possible to add 'alias' (or additional CN entries) in a
> > cert, but I never managed to figure out how to do that...
> --
> terrorist Uzi jihad killed attack security pits tritium Rule Psix
> Semtex Ortega genetic class struggle Legion of Doom KGB
> [See http://www.aclu.org/echelonwatch/index.html for more about this]
>
Prev by Date: nss_ldap + freebsd
Next by Date: Enabling OpenSLP in OpenLDAP
Index(es):
- Chronological
- Thread