Hi All,
Which one of the case below is suitable for a Multi-Master replication. I have a load balancer with ldap.domain.com, which is what clients will use to authenticate.
Question: Which one is a better implementation? What are the trade-offs? Please input your feedback as it might be useful for someone coming this way later. This can serve as a knowledge bank.
Case-I ldap01: server-cert with cn=ldap01.domain.com, subjAltName=ldap.domain.com ldap02: server-cert with cn=ldap02.domain.com, subjAltName=ldap.domain.com -MMR with tls throws error when ³Check hostname against name in certificate for outbound SSL connections² option is enabled. But RH recommends it to be turned ON.
Case-II ldap01: server-cert with cn=ldap.domain.com, subjAltName=ldap01.domain.com, ldap02.domain.com ldap01: server-cert with cn=ldap.domain.com, subjAltName=ldap01.domain.com,ldap02.domain.com -Does not comply with the requirement that ³server-cert² should have hostname as cn.I found this method working perfectly fine.
Knowledge Sharing: Here¹s a useful link which I use all the time and look before posting to the list. This is the archive for the mailing list and has search feature which very useful.
http://www.mail-archive.com/fedora-directory-users@redhat.com/info.html
Prashanth Sundaram wrote:
Hi All,
Which one of the case below is suitable for a Multi-Master replication. I have a load balancer with/ ldap.domain.com,/ which is what clients will use to authenticate.
*_Question: _*Which one is a better implementation? What are the trade-offs? Please input your feedback as it might be useful for someone coming this way later. This can serve as a knowledge bank.
Case-I ldap01: server-cert with cn=ldap01.domain.com, subjAltName=ldap.domain.com ldap02: server-cert with cn=ldap02.domain.com, subjAltName=ldap.domain.com -MMR with tls throws error when “*Check hostname against name in certificate for outbound SSL connections”* option is enabled. But RH recommends it to be turned ON.
What is the FQDN you specified in the replication agreement?
Case-II ldap01: server-cert with cn=ldap.domain.com, subjAltName=ldap01.domain.com, ldap02.domain.com ldap01: server-cert with cn=ldap.domain.com, subjAltName=ldap01.domain.com,ldap02.domain.com -Does not comply with the requirement that “server-cert” should have hostname as cn.I found this method working perfectly fine.
*Knowledge Sharing: *Here’s a useful link which I use all the time and look before posting to the list. This is the archive for the mailing list and has /search/ feature which very useful.
http://www.mail-archive.com/fedora-directory-users@redhat.com/info.html
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org