[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Secure Replication in a Redundant System

I can help you with the SSL bit, having just figured it out myself.

In your openssl.cnf add the following in the [usr_cert] section:

Now you can generate certificates for te correct hostname of the servers
and they will also
Work with ldap.mycompany.com, use the correct hostname for replication
and have clients make
Their requests to ldap.mycompany.com.

Be sure to point your ldap.conf on the clients to the correct CA cert
for this to work.

If you still have problems contact me off the list.

Jeff Saxton
Sr. Support Engineer
Addamark Technologies, Inc.
CELL: +1 415-640-6392

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Quanah
Sent: Tuesday, August 17, 2004 8:55 AM
To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Secure Replication in a Redundant System

--On Tuesday, August 17, 2004 6:28 PM +0800 Louis Casambre 
<rldpmddm@info.com.ph> wrote:

> Hi all,
> I've been working on putting together a secure LDAP system with 
> multiple slaves for redundancy. So far so good, we now have 1 master 
> and 3 slaves with their clients capable of querying any of them using 
> TLS and SASL/Kerberos.
> Now I'd like use a DNS entry like ldap.mydomain.com so that the load 
> will "evenly" distribute among them.  My problem is that would I have 
> to change the SSL certificates to match their generic FQDN, but then 
> how would I refer to them for replication?

You could simply use SASL/Kerberos for the replication, which will be 
secure as well, rather than SSL for that bit.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html