[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [Fedora-directory-users] Hostname does not match CN....

From: Alex aka Magobin <magobin gmail com>
To: "General discussion list for the Fedora Directory server project." <fedora-directory-users redhat com>
Subject: Re: [Fedora-directory-users] Hostname does not match CN....
Date: Tue, 04 Apr 2006 16:02:53 +0200

> [root cnyldap01 alias]# ../shared/bin/certutil -L -d .
> CA certificate                                               CTu,u,u
> NJ-Server-Cert                                               u,u,u
> NJ-admin-server-cert                                         u,u,u
> NY-Server-Cert                                               u,u,u
> NY-admin-server-cert                                         u,u,u
> 
yes, more or less like me..I didn't configure admin

> Now, for the floating IP.  If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside
> clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL
> verification will fail.  You're trying to talk to ldap.com but your certs are signed with node1/2
> -- no go.  For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS
> servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around
> and encrypt the traffic again, passing it to either node1 or node2.  A cute little problem is what
> to do when the ssl proxy fails?  :)

Unfortunately too much complicated for me at this moment :-(


> The thing is like this.  What is the problem you are trying to solve?  Why have two FDS servers in
> 1 location?  Why have the virtual IP?  It really doesn't buy you a whole lot. 
> 

Ok Susan..the problem is configuring Fedora DS in cluster scenario; I
have two options:

1) Configuring Fedora DS in GFS file system so I can move DS from nodo1
to nodo2 if it for some reason fails

2) Taking advantage to multi master replication to make the same
thing...but in this case I have to configure floating IP and an entry in
dns that point to ip because I don't want that client points directly to
nodes

...Second option is better because in this way I can make a load
balancing...but even if I use real name and real ip address of nodo1 and
nodo2 the problem is SSL....of course, I can use wildcards as Rob
says...but in that case is a whole security

 
> Have 2 FDSs insist but then list all of them in the clients' ldap.conf -- no problem.

Please can U explain this?...how can I configure clients' ldap.conf to
listen both server in SSL mode?

thanks...like always

Alex

References:
- Re: [Fedora-directory-users] Hostname does not match CN....
  - From: Susan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]