Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   SSL - Multiple Server Certs (http://www.linux-archive.org/fedora-directory/701872-ssl-multiple-server-certs.html)

Tom Tucker 09-09-2012 01:29 AM

SSL - Multiple Server Certs
 
I have two 389 servers and a RHEL 6 sssd configured client.* LDAP and LDAPS authentication is working against
these identical DS.* My questioned in
centered around client side certificate handling.*


*


Is it possible to reference multiple server certs from /etc/openldap/cacerts?* For example, if my primary server
devldaps4901 is unreachable connect to devldap4902 using its cert located in
/etc/openldap/cacerts (see below)?


*


I am able to fail over manually if I deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an sssd restart.* Am I missing something obvious here or is my
approach all wrong?*


*


Thank you,


*


*


Rich,


Thanks for the setupssl2.sh script.* It worked great!


*


*


*


*


ldap_tls_cacertdir = /etc/openldap/cacerts


ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com


**


[root@rhel6-client cacerts]# ls -l


total 8


-rw-r--r--. 1 root root 647 Sep* 8 16:02 devldaps4901.asc


-rw-r--r--. 1 root root 647 Sep* 8 16:02 devldaps4902.asc


lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.0 ->
devldaps4901.asc


lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.1 ->
devldaps4902.asc



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-10-2012 03:09 PM

SSL - Multiple Server Certs
 
On 09/08/2012 07:29 PM, Tom Tucker wrote:



I have two 389 servers and a RHEL 6 sssd
configured client.* LDAP and LDAPS authentication is working
against
these identical DS.* My questioned in
centered around client side certificate handling.*

*

Is it possible to reference multiple server
certs from /etc/openldap/cacerts?* For example, if my primary
server
devldaps4901 is unreachable connect to devldap4902 using its
cert located in
/etc/openldap/cacerts (see below)?

*

I am able to fail over manually if I
deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an
sssd restart.* Am I missing something obvious here or is my
approach all wrong?*



Yes.* Clients do not need to know anything about server certs.* The
only thing the clients need to know is the CA cert.



*

Thank you,

*

*

Rich,

Thanks for the setupssl2.sh script.* It
worked great!

*

*

*

*

ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com

**

[root@rhel6-client cacerts]# ls -l

total 8

-rw-r--r--. 1 root root 647 Sep* 8 16:02
devldaps4901.asc

-rw-r--r--. 1 root root 647 Sep* 8 16:02
devldaps4902.asc

lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.0 ->
devldaps4901.asc

lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.1 ->
devldaps4902.asc







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 10:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.