>>> Chris Jacobs <[email protected]> schrieb am 09.12.2014 um 23:18 in Nachricht <6c447584419bfe4e83d46e88f8131486d2ccb79...@exch07-05.apollogrp.edu>: > I use a cert with the VIP used by clients, and the hostnames used between the > servers all setup in the subjectaltname of the certificate.
But this "solution" does not scale well when adding or removing servers... > > From: openldap-technical [mailto:[email protected]] On > Behalf Of coma > Sent: Tuesday, December 09, 2014 1:13 PM > To: Michael Ströder > Cc: [email protected] > Subject: Re: N-Way multimaster Replication with TLS and multiple server > certificates > > Hello, > ok thank you. Just wanted to know if there was an alternative, now I know > there are none! I will do as Quanah and you said. > Thanks again for for your responsiveness! > > 2014-12-09 20:55 GMT+01:00 Michael Ströder > <[email protected]<mailto:[email protected]>>: > coma wrote: >> My problem is that cn=config is replicated on all servers, including >> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication >> obviously not working (the certificate and key path of the first server are >> replicated on the second server). >> >> I know there is some solutions to workaround this "issue", like: >> - Don't replicate cn=config >> - Use the same certificate and key for all servers >> - Use the same certificate and key path in cn=config (ex: >> /etc/openldap/cert/common_cert_name.pem and >> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the >> correct files on the local server > > ..or directly place the correct files to the same certificate and key path. > > Yes, that's what > ansible/puppet/chef/name-your-favourite-config-management-tool > is for. > > Ciao, Michael. > > > ________________________________ > This message is private and confidential. If you have received it in error, > please notify the sender and remove it from your system.
