[CentOS] LDAP and expired passwords

Sat Nov 1 23:17:46 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Sat, Nov 1, 2008 at 15:42, Steve Thompson <smt at vgersoft.com> wrote:
> Thank you very much Filipe

No problem!

LDAP with SSL is really tricky, as I said I implemented it some months
ago, and I'm sure I went through the same issues you are going now.

One thing I did in my setup was to configure the clients to query both
LDAP servers. To do that, I created a "star" certificate, like
CN=*.cbe.cornell.edu in your case, and then I created a new entry in
DNS doing round-robin between both IPs. Queries get split to both
servers, and if there is an update that falls on the slave, the
referral to the master by its own name will take care of doing the
update properly. The star certificate makes sure that connections
using any name (the RR or the master's name in case of updates) will
match the certificate.

HTH,
Filipe