Hi, I have 3 ldapservers in a multi-master setup for replication with
TLS. TLS is also used in the connection between servers and sssd clients.
The hostnames of the nodes are server1, server2 and server3, so when I
configured the replication agreement I used these names:
dsconf LDAP -D "cn=Directory Manager" repl-agmt create
--suffix="dc=example,dc=com" --host="server2.example.com" --port=636
--conn-protocol=LDAPS --bind-dn="cn=replication manager,cn=config"
--bind-passwd="secret" --bind-method=SIMPLE --init
I'd like to use dns aliases instead of server hostnames in the sssd.conf
file on the clients, so that I can replace a server with a new one by
simply changing the alias, without changing the configuration on the
So I defined aliases auth1, auth2 and auth3 in DNS and used them in
sssd.conf on clients.
With this configuration I have a problem with TLS certificates. If in
the certificate I set the CN equal to the hostname, the sssd clients
give the following error: "TLS: hostname does not match CN", while if I
set the CN equal to the alias name I get a mismatch error in the replica.
Is there a solution to the problem?
389-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Post a Comment