OL, SSL/TLS, and load balancing

[Quanah Gibson-Mount <quanah@stanford.edu>]

In working with OpenLDAP, and trying to maintain a load-balanced pool of 
servers which can be made available to campus, I've run into an issue when 
wanting to use/enable SSL and/or TLS.  The main issue comes down to how 
SSL/TLS handling is done in OpenLDAP.  In general, the cert DN must match 
the servername.

When you use a software load balancer, this breaks client negotiated 
SSL/TLS, in that a bind to "ldap.stanford.edu" will come back with a bind 
to "ldap6.stanford.edu".  Since "ldap.stanford.edu" != 
"ldap6.stanford.edu", the bind will fail.

When you use a hardware load balance, this will break SSL/TLS encrypted 
replication, since doing an update to "ldap6.stanford.edu" will return a 
cert of "ldap.stanford.edu".

One fix for this would be using a star cert, with "ldap.stanford.edu" in 
the subjectAltName.  However, I cannot find a cert vendor (which, for the 
time being, I must use) that will issue this.  The closest I can get is a 
cert with "*.stanford.edu" in the DN field.  However, the RFC discussing 
star certs only mentions them being present in the subjectAltName field, 
which means that cert is rejected.  On the other hand, ever other 
application and client we've used this cert with accepts it as valid -- It 
is only OL that is being picky about the RFC here.

I do think the capability to load balance directory servers is an important 
one, and is something that is going to impact a large number of potential 
users of OpenLDAP.  So my question here is, should OL really be this 
stringent on the RFC about star certs in this case?  It is obvious the 
intent of the cert is to give the star capabilities, even if the location 
is incorrect.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html