I currently have a working openldap/tls/sssd setup with one ldap server. I'm using
self signed server side and client side certificates and the CA for the certificates
happens to live on the openldap server. This is, obviously, fraught with peril if the
openldap server dies! So, I've setup a second server as a replica server and I want
to be able to have my sssd clients failover to the replica if the primary goes away. Thus
far, my testing has been unsuccessful. I've cut a server cert for the new server but
when I try to use the secondary server as the authorized ldap server I get errors like:
additional info: TLS: hostname does not match CN in peer certificate
With my working setup I specify the ldap_tls_cacert, ldap_tls_cert, and ldap_tls_key in my
sssd.conf, in my ldap.conf, and in my .ldaprc and authentication works and ldapsearch
works (with starttls). If I change my ldap_tls_cert and key stuff to point to my 2nd
server keys, everything fails. I'm not sure how to get this working. Ultimately,
I'm going to have 4 total ldap servers, 2 each in disparate regions of the country,
one of which is the "master" and the 3 others replicas. Any and all help
appreciated as I'm very confused at this point.
Thanks.
Kevin Martin