[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Thu Sep 20 20:12:24 UTC 2007

Hey guys,  installed FDS on a couple debian servers this week and am liking it 
so far.  I have a couple questions regarding SSL/TLS setup with servers setup 
for  IP takeover type HA setup.  Keep in mind I have some experience with the 
LDAP side of things,  it's the ssl and all the different certs and whatnot 
that keeps me up at night.

Essentially what I'm looking at is a 4 way multimaster setup,  ending up with 
2 HA pairs of servers.  call them eastldap and westldap.   I've implemented 
the east side in my test lab and have it replicating and can pull any user 
info I need off the directory no problem.

so 
eastldap0.test.com ip 192.168.0.11
eastldap1.test.com ip 192.168.0.12
and the virtual interface on whichever machine is master would be
eastldap.test.com ip 192.168.0.10

and then the exact same setup with the last 2

westldap0.test.com ip 192.168.1.11
westldap1.test.com ip 192.168.1.12
westldap.test.com ip 192.168.1.10

Once everything is setup and running clients would be primarily only  
connecting to either virtual interface west/eastldap using TLS over port 389 
and the 4 masters replicating with encryption (not sure but I imagine this 
takes place on ldaps port).

I followed the instructions on the howto:ssl page and created a cert located 
on eastldap0.  But instead of using the eastldap0.test.com as the cn,  I used 
eastldap.test.com.  Cert installed ok, made sure eastldap0 was the HA master 
and restarted fds.  

When I copied over the cacert to a linux client,  I can run searches using 
ldapsearch -ZZ -h eastldap.test.com.  Server logs and wire sniffs confirm 
everything is coming back encrypted.  It seems to be behaving as expected,  
when I try ldapsearch -ZZ -h eastldap0.test.com,  it pukes with error 11 
additional info: TLS: hostname does not match CN in peer certificate,  which 
is right as the name in the cert is eastldap.test.com.

So it would appear I'm on my way,  I just am not sure about what certs I need 
now, and how to add them properly.  I would think I need at the very least

eastldap0 
- eastldap0.test.com cert
- eastldap.test.com cert
eastldap1
- eastldap1.test.com cert
- eastldap.test.com cert
westldap0
- westldap0.test.com cert
- westldap.test.com cert
westldap1
- westldap1.test.com cert
- westldap.test.com cert

I'm just not sure if that is the proper way to go about it.  Also,  I would 
like to have the clients to be able to have all the cacerts to be able to 
communicate with all virtual and physical address' if need be.  Later on,  I 
would be adding probably 5 or 6 consumer read only replicas inbetween the 
suppliers and the clients,  but one must walk before they run I guess :)

Long post I know,  just trying to make sure I get all the important stuff out 
there.  Be kind if I was using the incorrect terminology for the 
certs/cacerts :)

Ryan

PS.  anyone have a good SSL for dummies reference that lays out what the heck 
is going on with SSL (pems,keys,certs,cacerts etc) 