[Fedora-directory-users] Hostname does not match CN....
Susan
logastellus at yahoo.com
Tue Apr 4 13:37:50 UTC 2006
--- George Holbert <gholbert at broadcom.com> wrote:
> > Uhm...I can try, but in that case, is it possible that I've a problem
> > with replication ?
>
> I don't think so. I've noticed that replication agreements over SSL
> don't seem to care about hostname / CN matching, although they do check
> that the CA is trusted. If I have the wrong impression on this, someone
> please say so :).
Guys,
you shouldn't have to do this. This is what I have in my cert DB:
[root at cnyldap01 alias]# ../shared/bin/certutil -L -d .
CA certificate CTu,u,u
NJ-Server-Cert u,u,u
NJ-admin-server-cert u,u,u
NY-Server-Cert u,u,u
NY-admin-server-cert u,u,u
I then sent the cert8.db & key3.db over to the other server, setup the replication agreements back
& forth and voila! Basically, I shoved all my certs in 1 DB and blasted that everywhere.
Now, for the floating IP. If you've two nodes, node1 & node2 and a VIP, ldap.com and your outside
clients talk to ldap.com and your certs are signed with node1 & node2 then I'm guessing SSL
verification will fail. You're trying to talk to ldap.com but your certs are signed with node1/2
-- no go. For this end to end SSL to work, you'd need an SSL terminator IN FRONT of the FDS
servers, something that will impersonate ldap.com, return a cert for ldap.com and then turn around
and encrypt the traffic again, passing it to either node1 or node2. A cute little problem is what
to do when the ssl proxy fails? :)
The thing is like this. What is the problem you are trying to solve? Why have two FDS servers in
1 location? Why have the virtual IP? It really doesn't buy you a whole lot. Have 2 FDSs if you
insist but then list all of them in the clients' ldap.conf -- no problem.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Fedora-directory-users
mailing list