Hi,
I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over.
I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry.
Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed.
nssdb certificate request:
Request ID 'yyy':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: xxxx
subject: CN=ds02.xxxx
expires: 2019-03-24 13:33:31 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx
track: yes
auto-renew: yes
ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx
Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent?
What is the best/recommended solution to cover this need?
Thank you for your help
--
David GOUDET
LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574