[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates

To: <Chris.Jacobs@apollo.edu>,<coma.inf@gmail.com>, <michael@stroeder.com>
Subject: Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Wed, 10 Dec 2014 09:01:09 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <6C447584419BFE4E83D46E88F8131486D2CCB794E0@EXCH07-05.apollogrp.edu>
References: <CABnSCo=AR0+Q6BYhQLA9rsqNbNAs3Aeobq7t5LaBHGO-zB=-UQ@mail.gmail.com> <548753CF.4040205@stroeder.com> <CABnSCokwOGweAoLPV6dC9hGVgM_J7MqJ0212rhO0=nPcpZbxpA@mail.gmail.com> <6C447584419BFE4E83D46E88F8131486D2CCB794E0@EXCH07-05.apollogrp.edu>

>>> Chris Jacobs <Chris.Jacobs@apollo.edu> schrieb am 09.12.2014 um 23:18 in
Nachricht
<6C447584419BFE4E83D46E88F8131486D2CCB794E0@EXCH07-05.apollogrp.edu>:
> I use a cert with the VIP used by clients, and the hostnames used between
the 
> servers all setup in the subjectaltname of the certificate.

But this "solution" does not scale well when adding or removing servers...

> 
> From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On

> Behalf Of coma
> Sent: Tuesday, December 09, 2014 1:13 PM
> To: Michael Ströder
> Cc: openldap-technical@openldap.org 
> Subject: Re: N-Way multimaster Replication with TLS and multiple server 
> certificates
> 
> Hello,
> ok thank you. Just wanted to know if there was an alternative, now I know 
> there are none! I will do as Quanah and you said.
> Thanks again for for your responsiveness!
> 
> 2014-12-09 20:55 GMT+01:00 Michael Ströder 
> <michael@stroeder.com<mailto:michael@stroeder.com>>:
> coma wrote:
>> My problem is that cn=config is replicated on all servers, including
>> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
>> obviously not working (the certificate and key path of the first server
are
>> replicated on the second server).
>>
>> I know there is some solutions to workaround this "issue", like:
>> - Don't replicate cn=config
>> - Use the same certificate and key for all servers
>> - Use the same certificate and key path in cn=config (ex:
>> /etc/openldap/cert/common_cert_name.pem and
>> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
>> correct files on the local server
> 
> ..or directly place the correct files to the same certificate and key path.
> 
> Yes, that's what
> ansible/puppet/chef/name-your-favourite-config-management-tool
> is for.
> 
> Ciao, Michael.
> 
> 
> ________________________________
> This message is private and confidential. If you have received it in error,

> please notify the sender and remove it from your system.

Follow-Ups:
- Re: Antw: RE: N-Way multimaster Replication with TLS and multiple server certificates
  - From: Michael Ströder <michael@stroeder.com>

References:
- N-Way multimaster Replication with TLS and multiple server certificates
  - From: coma <coma.inf@gmail.com>
- Re: N-Way multimaster Replication with TLS and multiple server certificates
  - From: Michael Ströder <michael@stroeder.com>
- Re: N-Way multimaster Replication with TLS and multiple server certificates
  - From: coma <coma.inf@gmail.com>
- RE: N-Way multimaster Replication with TLS and multiple server certificates
  - From: Chris Jacobs <Chris.Jacobs@apollo.edu>

Prev by Date: Re: Antw: adding a custom attribute
Next by Date: Re: Antw: Re: Q: roles for authentication
Index(es):
- Chronological
- Thread