3:38 a.m.
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am
configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service
LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required
Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02
and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake
failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it
recommended/supported? When FreeIPA software will be updated is this SAN configuration
will be persistent?
What is the best/recommended solution to cover this need?
Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
9:28 p.m.
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am
configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service
LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required
Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02
and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake
failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it
recommended/supported? When FreeIPA software will be updated is this SAN configuration
will be persistent?
What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the
configuration so you only need to do this once.
Cheers,
Fraser
> Thank you for your help
7:24 a.m.
New subject: Modify default dirsrv/LDAP certificate (add SAN)
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when
FreeIPA software will be updated is this SAN configuration will be persistent?
Is it possible that LDAP certificate request can be changed (deleted and re-created for
exemple) during FreeIPA upgrade processus?
BR,
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Cc: "David Goudet" <david.goudet(a)lyra-network.com>
Sent: Monday, July 10, 2017 4:28:55 AM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am
configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service
LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required
Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02
and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake
failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it
recommended/supported? When FreeIPA software will be updated is this SAN configuration
will be persistent?
What is the best/recommended solution to cover this need?
That is a valid approach. Certmonger will remember the
configuration so you only need to do this once.
Cheers,
Fraser
Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
4:25 p.m.
On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when
FreeIPA software will be updated is this SAN configuration will be persistent?
Is it possible that LDAP certificate request can be changed (deleted and re-created for
exemple) during FreeIPA upgrade processus?
Nope, FreeIPA won't change it on upgrade.
> BR,
>
> ----- Original Message -----
> From: "Fraser Tweedale" <ftweedal(a)redhat.com>
> To: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
> Cc: "David Goudet" <david.goudet(a)lyra-network.com>
> Sent: Monday, July 10, 2017 4:28:55 AM
> Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
>
> On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
> > Hi,
> >
> > I am using FreeIPAv4, some of clients products does not support LDAP failover so
i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
> > I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
> >
> > Everything works as excepted except TLS certificate verification on client side:
required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01
or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS
handshake failed.
> >
> > nssdb certificate request:
> > Request ID 'yyy':
> > status: MONITORING
> > stuck: no
> > key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
> > certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
> > CA: IPA
> > issuer: xxxx
> > subject: CN=ds02.xxxx
> > expires: 2019-03-24 13:33:31 UTC
> > key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
> > track: yes
> > auto-renew: yes
> >
> > ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
> >
> > Add new SAN in default LDAP certificate in nssdb is possible with command above
but is it recommended/supported? When FreeIPA software will be updated is this SAN
configuration will be persistent?
> > What is the best/recommended solution to cover this need?
> >
> That is a valid approach. Certmonger will remember the
> configuration so you only need to do this once.
>
> Cheers,
> Fraser
>
> > Thank you for your help
> --
> David GOUDET
>
> LYRA NETWORK
> IT Operations service
> Tel : +33 (0)5 32 09 09 74 | Poste : 574
12:06 p.m.
New subject: Modify default dirsrv/LDAP certificate (add SAN)
Ok, great.
I will do that (and monitor that additional SAN ldapha.xx is persistant after upgrade)
Thank you for your help
BR
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "David Goudet" <david.goudet(a)lyra-network.com>
Cc: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, July 10, 2017 11:25:56 PM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Mon, Jul 10, 2017 at 02:24:20PM +0200, David Goudet wrote:
Hi,
Thank you for your response.
Certmonger will track and manage this certificate (and keep my modification) but when
FreeIPA software will be updated is this SAN configuration will be persistent?
Is it possible that LDAP certificate request can be changed (deleted and re-created for
exemple) during FreeIPA upgrade processus?
Nope, FreeIPA won't change it on upgrade.
BR,
----- Original Message -----
From: "Fraser Tweedale" <ftweedal(a)redhat.com>
To: "FreeIPA users list" <freeipa-users(a)lists.fedorahosted.org>
Cc: "David Goudet" <david.goudet(a)lyra-network.com>
Sent: Monday, July 10, 2017 4:28:55 AM
Subject: Re: [Freeipa-users] Modify default dirsrv/LDAP certificate (add SAN)
On Fri, Jul 07, 2017 at 10:38:25AM +0200, David Goudet via FreeIPA-users wrote:
> Hi,
>
> I am using FreeIPAv4, some of clients products does not support LDAP failover so i
am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
> I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA
service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
>
> Everything works as excepted except TLS certificate verification on client side:
required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01
or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS
handshake failed.
>
> nssdb certificate request:
> Request ID 'yyy':
> status: MONITORING
> stuck: no
> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS
Certificate DB'
> CA: IPA
> issuer: xxxx
> subject: CN=ds02.xxxx
> expires: 2019-03-24 13:33:31 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
> track: yes
> auto-renew: yes
>
> ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
>
> Add new SAN in default LDAP certificate in nssdb is possible with command above but
is it recommended/supported? When FreeIPA software will be updated is this SAN
configuration will be persistent?
> What is the best/recommended solution to cover this need?
>
That is a valid approach. Certmonger will remember the
configuration so you only need to do this once.
Cheers,
Fraser
> Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
2480
days inactive
2484
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
David Goudet -
Fraser Tweedale