[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL, SSL/TLS, and load balancing

To: Donn Cave <donn@u.washington.edu>
Subject: Re: OL, SSL/TLS, and load balancing
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 04 May 2004 12:57:44 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <E791DC37-9E02-11D8-8870-000A959133A8@u.washington.edu>
References: <14442917.1083592006@cadabra.stanford.edu> <E791DC37-9E02-11D8-8870-000A959133A8@u.washington.edu>

It seems this thread has moved off-topic for this list.
Please direct further discussion of issues regarding use
of OpenLDAP Software to the openldap-software list.

Regarding the original issue, I suggest Quanah submit
an ITS (preferably with a patch).

Kurt

At 12:40 PM 5/4/2004, Donn Cave wrote:
>On Monday, May 3, 2004, at 01:46 PM, Quanah Gibson-Mount wrote:
>
>>Yes, our HTTP service is also load balanced... If you work with RL Bob Morgan, it wouldn't surprise me if the software you are using is the same we are using...
>>
>>When we initially went to deploy OpenLDAP, we experimented with the certs and software load balancing, without much luck... perhaps I should do it some more.
>
>Yes, he's involved, but this load balancing DNS service predates him,
>I believe parts of it came from UCLA's "groupd".   He has more than once
>brought the virtues of Stanford's way to our attention - I think you
>use an intermediate alias somewhere?  Ours just returns an A record with
>a rotating subset of the cluster IPs.
>
>This seems to work OK for OpenDLAP - with only one member in the cluster.
>I set that member up with an "ldap.washington.edu" (or something to that
>effect) certificate.
>
>For SSL, I expect the client to connect to ldap.washington.edu and not
>ever resolve that to ldap01.washington.edu.  Well, oddly, one ldapsearch
>seems to work fine with ldap01.  Others as expected do not work, but
>if I can figure out the difference, that may be the answer to the SSL
>replication and other cluster-member-specific operations.
>
>For GSSAPI, I expect the client to resolve to a canonical name, and this
>seems to happen (I get an ldap/ldap01 ticket.)   GSSAPI may be ready to
>go.  The clients are resolving the name, the only question is when.  If
>they're taking care of that BEFORE either requesting the ticket or making
>the connection, then we're fine, we just need them to connect to the same
>host as they got a ticket for.  This only shows up as a problem when there
>are multiple addresses and they're being shuffled.
>
>So this is way short of a complete success story - it's only initial
>reports from fooling around with a cluster of one this morning - but I
>haven't seen anything yet that looks like severe trouble for load based
>clustering.
>
>        Donn Cave, donn@u.washington.edu

References:
- Re: OL, SSL/TLS, and load balancing
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: OL, SSL/TLS, and load balancing
  - From: Donn Cave <donn@u.washington.edu>

Prev by Date: Re: slapacl back-port to 2.1?
Next by Date: Re: OL, SSL/TLS, and load balancing
Index(es):
- Chronological
- Thread