FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory
Reload this Page SSL - Multiple Server Certs

 
 
LinkBack Thread Tools
 
Old 09-09-2012, 01:29 AM
Tom Tucker
 
Default SSL - Multiple Server Certs
I have two 389 servers and a RHEL 6 sssd configured client.* LDAP and LDAPS authentication is working against
these identical DS.* My questioned in
centered around client side certificate handling.*


*


Is it possible to reference multiple server certs from /etc/openldap/cacerts?* For example, if my primary server
devldaps4901 is unreachable connect to devldap4902 using its cert located in
/etc/openldap/cacerts (see below)?


*


I am able to fail over manually if I deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an sssd restart.* Am I missing something obvious here or is my
approach all wrong?*


*


Thank you,


*


*


Rich,


Thanks for the setupssl2.sh script.* It worked great!


*


*


*


*


ldap_tls_cacertdir = /etc/openldap/cacerts


ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com


**


[root@rhel6-client cacerts]# ls -l


total 8


-rw-r--r--. 1 root root 647 Sep* 8 16:02 devldaps4901.asc


-rw-r--r--. 1 root root 647 Sep* 8 16:02 devldaps4902.asc


lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.0 ->
devldaps4901.asc


lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.1 ->
devldaps4902.asc



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-10-2012, 03:09 PM
Rich Megginson
 
Default SSL - Multiple Server Certs
On 09/08/2012 07:29 PM, Tom Tucker wrote:



I have two 389 servers and a RHEL 6 sssd
configured client.* LDAP and LDAPS authentication is working
against
these identical DS.* My questioned in
centered around client side certificate handling.*

*

Is it possible to reference multiple server
certs from /etc/openldap/cacerts?* For example, if my primary
server
devldaps4901 is unreachable connect to devldap4902 using its
cert located in
/etc/openldap/cacerts (see below)?

*

I am able to fail over manually if I
deleted the ee8c0644.0
hash and recreate it pointing to devldaps4902 along with an
sssd restart.* Am I missing something obvious here or is my
approach all wrong?*



Yes.* Clients do not need to know anything about server certs.* The
only thing the clients need to know is the CA cert.



*

Thank you,

*

*

Rich,

Thanks for the setupssl2.sh script.* It
worked great!

*

*

*

*

ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://devldaps4902.autotrader.com

**

[root@rhel6-client cacerts]# ls -l

total 8

-rw-r--r--. 1 root root 647 Sep* 8 16:02
devldaps4901.asc

-rw-r--r--. 1 root root 647 Sep* 8 16:02
devldaps4902.asc

lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.0 ->
devldaps4901.asc

lrwxrwxrwx. 1 root root*
16 Sep* 8 19:13 ee8c0644.1 ->
devldaps4902.asc







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:54 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -