[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Thu Sep 20 21:36:56 UTC 2007

>
> eastldap0 
> - eastldap0.test.com cert
> - eastldap.test.com cert
> ...

Each running FDS server instance will have just one SSL certificate.
If you want your server to identify with multiple names, you can either:
- Do a cert with subjectAltName extensions.
- Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com).

LDAP / SSL client support for these varies, so you will probably want to 
test both ways and see what works with better with your clients.
If it works for you, the subjectAltName method is probably preferable, 
because you can precisely list the valid names for your server.

Also, consider keeping it simple and just doing certs with single names 
(e.g.,  one cert each for 'westldap.test.com' and 'eastldap.test.com'), 
and installing that same cert on each server which should have that SSL 
identity.  This is actually a pretty common way to do it, though it will 
limit your ability to make SSL connections to individual nodenames, like 
eastldap0.test.com (as you noticed).

Ryan Braun wrote:
> Hey guys,  installed FDS on a couple debian servers this week and am liking it 
> so far.  I have a couple questions regarding SSL/TLS setup with servers setup 
> for  IP takeover type HA setup.  Keep in mind I have some experience with the 
> LDAP side of things,  it's the ssl and all the different certs and whatnot 
> that keeps me up at night.
>
> Essentially what I'm looking at is a 4 way multimaster setup,  ending up with 
> 2 HA pairs of servers.  call them eastldap and westldap.   I've implemented 
> the east side in my test lab and have it replicating and can pull any user 
> info I need off the directory no problem.
>
> so 
> eastldap0.test.com ip 192.168.0.11
> eastldap1.test.com ip 192.168.0.12
> and the virtual interface on whichever machine is master would be
> eastldap.test.com ip 192.168.0.10
>
> and then the exact same setup with the last 2
>
> westldap0.test.com ip 192.168.1.11
> westldap1.test.com ip 192.168.1.12
> westldap.test.com ip 192.168.1.10
>
> Once everything is setup and running clients would be primarily only  
> connecting to either virtual interface west/eastldap using TLS over port 389 
> and the 4 masters replicating with encryption (not sure but I imagine this 
> takes place on ldaps port).
>
> I followed the instructions on the howto:ssl page and created a cert located 
> on eastldap0.  But instead of using the eastldap0.test.com as the cn,  I used 
> eastldap.test.com.  Cert installed ok, made sure eastldap0 was the HA master 
> and restarted fds.  
>
> When I copied over the cacert to a linux client,  I can run searches using 
> ldapsearch -ZZ -h eastldap.test.com.  Server logs and wire sniffs confirm 
> everything is coming back encrypted.  It seems to be behaving as expected,  
> when I try ldapsearch -ZZ -h eastldap0.test.com,  it pukes with error 11 
> additional info: TLS: hostname does not match CN in peer certificate,  which 
> is right as the name in the cert is eastldap.test.com.
>
> So it would appear I'm on my way,  I just am not sure about what certs I need 
> now, and how to add them properly.  I would think I need at the very least
>
> eastldap0 
> - eastldap0.test.com cert
> - eastldap.test.com cert
> eastldap1
> - eastldap1.test.com cert
> - eastldap.test.com cert
> westldap0
> - westldap0.test.com cert
> - westldap.test.com cert
> westldap1
> - westldap1.test.com cert
> - westldap.test.com cert
>
> I'm just not sure if that is the proper way to go about it.  Also,  I would 
> like to have the clients to be able to have all the cacerts to be able to 
> communicate with all virtual and physical address' if need be.  Later on,  I 
> would be adding probably 5 or 6 consumer read only replicas inbetween the 
> suppliers and the clients,  but one must walk before they run I guess :)
>
> Long post I know,  just trying to make sure I get all the important stuff out 
> there.  Be kind if I was using the incorrect terminology for the 
> certs/cacerts :)
>
> Ryan
>
> PS.  anyone have a good SSL for dummies reference that lays out what the heck 
> is going on with SSL (pems,keys,certs,cacerts etc) 
>
> --
>   