[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Q: OpenLDAP In A 'Heartbeat' Cluster

[let's keep it on the OpenLDAP list]

Quoting Tim Robbins <Tim.Robbins@ChoicePointPRG.net>:

> Sounds like my immediate solution would then be
> to build each machine with the same `hostname`
> and use the same cert.
> Only caveat would be that if I wanted to look at
> a particular servers database, I would either have
> to do this unencrypted or physically log onto the 
> machine and query directly.
> We are looking at the cluster for pure HA and not
> necessarilly to offload any workload.

Why do it that way? I'm using BOTH my LDAP servers (and I'm building
more) in a round-robin setup. This give me the possibility to use
both (or more) machines full potential.

In the DNS:

        ----- s n i p -----
        ldap1   IN A
        ldap2   IN A
        ldap3   IN A
        ; Round-robin
        ldap    IN A
                IN A
                IN A
        ----- s n i p -----

This way, every time you're accessing 'ldap.domain.ltd', it will
query a random ldap? server. Oki, you still have the problem with
the cert name...

I have setup the server cert to contain the ldap? entries, so I
can't really query 'ldap.domain.ltd' through SSL. I haven't figured
out how to create an alias in the cert, but at least I can use
(or take down!) any server I like, without interrupting queries...

> -----Original Message-----
> From: Turbo Fredriksson [mailto:turbo@bayour.com]
> Sent: Thursday, March 06, 2003 12:39 PM
> To: openldap-software@OpenLDAP.org
> Subject: Re: Q: OpenLDAP In A 'Heartbeat' Cluster
> >>>>> "Tim" == Tim Robbins <Tim.Robbins@ChoicePointPRG.net> writes:
>     Tim> I am currently running OpenLDAP and replicating successfully
>     Tim> from node 'A' to node 'B'.  I have installed the HA-Linux
>     Tim> "heartbeat" cluster SW and successfully and fail over my
>     Tim> logical IP address.  I am using TLS and can reach both nodes
>     Tim> successfully using GQ with TLS enabled.  When I try and
>     Tim> connect to the logical node, it errors saying that hostname
>     Tim> does not match.  I have generated a seperate certifcate using
>     Tim> the logical name and appended it to the cert file that is
>     Tim> loaded in the slapd.conf.
>     Tim> Is there anything else I have missed with regards to my
>     Tim> configuration?
> No. This is 'expected' behaviour... If you have the same cert on both
> hosts, say it's for host 'ldap.domain.tld', then as long as you're 
> refering to the LDAP server as 'ldap.domain.tld' is ok. But when you're
> trying to reference the hosts individually ('ldap1.domain.tld' and/or
> 'ldap2.domain.tld' for example), then naturaly the FQDN of the cert
> won't match...
> It should be possible to add 'alias' (or additional CN entries) in a
> cert, but I never managed to figure out how to do that...
terrorist Uzi jihad killed attack security pits tritium Rule Psix
Semtex Ortega genetic class struggle Legion of Doom KGB
[See http://www.aclu.org/echelonwatch/index.html for more about this]