[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6554) OpenLDAP + TLS multiple server certificates

Full_Name: Stepan Kipel
Version: 2.4.19
OS: Red Hat Enterprise Linux AS release 4 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

In our network there are 2 servers running slapd, one is syncrepl-provider and
other is consumer. Both have identical IP address for LDAP requests and
configured in manner that when one goes down, second takes over (configured
externally, by routing). Also, TLS is configured and works transparently for
client machines (DNS resolves their "common" IP), but it`s hard to use their
Domain Name for TLS syncrepl - DNS resolves IP, that is up on local machine. We
decided to put up other interface on syncrepl-provider for replication purposes,
mapped another Domain Name on this interface and appended CA, server and private
server certs created for this Domain Names to files included by
TLSCACertificateFile, TLSCertificateFile and TLSCertificateKey in slapd.conf
file, respectively. We`ve tried to execute ldapsearch with two different
ldap.conf configs - for first and second domain name of the server, one works
and another - not? error looks like "TLS: hostname (first_srv_name) does not
match common name in certificate (second_srv_name)."

The question is - can slapd server use more than 2 server certificates or we
should use another technology (tunneling, etc...) for encrypted syncrepl?