What I did:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/ secondary names of the servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing and Product DevelopmentÂ |Â Aptimus, Inc.
2001 6th AveÂ |Â Suite 3200Â |Â Seattle, WA 98121
direct 206.839.8245Â |Â cell 206.601.3256Â |Â fax 206.839.8106
From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: firstname.lastname@example.org <email@example.com>
Sent: Fri Aug 26 12:49:04 2011
Subject: Syncrepl over TLS for mirrormode
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" andI can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.