Saturday, February 11, 2023

[389-users] 389-ds and DNS aliases

Hi, I have 3 ldapservers in a multi-master setup for replication with
TLS. TLS is also used in the connection between servers and sssd clients.

The hostnames of the nodes are server1, server2 and server3, so when I
configured the replication agreement I used these names:


dsconf LDAP -D "cn=Directory Manager" repl-agmt create
--suffix="dc=example,dc=com" --host="" --port=636
--conn-protocol=LDAPS --bind-dn="cn=replication manager,cn=config"
--bind-passwd="secret" --bind-method=SIMPLE --init

I'd like to use dns aliases instead of server hostnames in the sssd.conf
file on the clients, so that I can replace a server with a new one by
simply changing the alias, without changing the configuration on the

So I defined aliases auth1, auth2 and auth3 in DNS and used them in
sssd.conf on clients.

With this configuration I have a problem with TLS certificates. If in
the certificate I set the CN equal to the hostname, the sssd clients
give the following error: "TLS: hostname does not match CN", while if I
set the CN equal to the alias name I get a mismatch error in the replica.

Is there a solution to the problem?


Alberto Crescente.
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

No comments:

Post a Comment