Hello, Thanks for your prompt reply. Yes i'm using also the CA path attribute to specify my CA trust chain. So has you said, i will use the same path on each nodes.
Thanks again! 2014-12-09 20:30 GMT+01:00 Quanah Gibson-Mount <[email protected]>: > --On Tuesday, December 09, 2014 7:14 PM +0100 coma <[email protected]> > wrote: > > >> Dear List, >> >> i'm using N-Way multimaster replication with 2 servers (i will use it on >> 30 servers soon). Each server is using it's own certificate, so the >> content of TLSCertificateFile and TLSCertificateKeyFile is different in >> the cn=config of each of them. >> >> My problem is that cn=config is replicated on all servers, including >> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication >> obviously not working (the certificate and key path of the first server >> are replicated on the second server). >> >> I know there is some solutions to workaround this "issue", like: >> - Don't replicate cn=config >> - Use the same certificate and key for all servers >> - Use the same certificate and key path in cn=config (ex: >> /etc/openldap/cert/common_cert_name.pem and >> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the >> correct files on the local server >> >> but I would avoid this type of solutions if possible, so i would like to >> know if there is a solution to avoid to replicate TLSCertificateFile and >> TLSCertificateKeyFile, or other trick? >> > > Every server must be able to validate the cert of the other MMR nodes. > For that, it would be easiest to use the CA path attribute (vs file > attribute). For the cert setup for the servers themselves, generally yes, > you can work around that by having the same path to the cert on each node. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >
