[Date Prev][Date Next] [Chronological] [Thread] [Top]

Load-Balanced LDAP Servers + TLS/SSL

To: openldap-software@OpenLDAP.org
Subject: Load-Balanced LDAP Servers + TLS/SSL
From: lf+openldap@emyr.net
Date: Wed, 10 Oct 2001 20:24:27 -0700
Content-disposition: inline
User-agent: Mutt/1.3.22i

Suppose that there are three servers:
  one.example.com - master (slapd, slurpd)
  two.example.com - slave  (slapd)
  three.example.com - slave  (slapd)

Now suppose that I configure my DNS as follows:
  one.example.com   IN A  192.168.1.1
  two.example.com   IN A  192.168.1.2
  three.example.com IN A  192.168.1.3
  ldap.example.com  IN A  192.168.1.1 ; round robin
  ldap.example.com  IN A  192.168.1.2 ; round robin
  ldap.example.com  IN A  192.168.1.3 ; round robin

This way, requests from LDAP clients will be balanced across all three
LDAP servers.

Now suppose that I wish to use TLS/SSL for all my LDAP connections. I
generate an SSL certificate for the common name ldap.example.com and I
load it onto the three servers: one, two, and three.

This works well, and all the requests, indeed, are balanced across the
three servers.

Unfortunately, the master (one) can't connect to the slaves (two, three)
for purposes of replication because the replica directives in one's
slapd.conf need to use the unique fqdns two.example.com and
three.example.com. To wit,

replica
        host=two.example.com      (can't use ldap.example.com here)
        tls=yes
        bindmethod=simple
        binddn="uid=foobar,dc=example,dc=com"
        credentials="secret"
replica
        host=three.example.com    (can't use ldap.example.com here)
        tls=yes
        bindmethod=simple
        binddn="uid=foobar,dc=example,dc=com"
        credentials="secret"

So, the question is, how to use TLS/SSL for replication in this
round-robin configuration?  I want to use TLS/SSL for all of the LDAP
connections, both client-server (queries/updates) and master-slave
(replication).

I have a few possible solutions:

(1) Use a couple of stunnels on one.example.com as follows:

      stunnel -c -d 127.0.0.1:20389 -r two.example.com:389
      stunnel -c -d 127.0.0.1:30389 -r three.example.com:389

    and change the replica stanzas to read:

      replica
        host=127.0.0.1:20389
        tls=yes
        bindmethod=simple
        binddn="uid=foobar,dc=example,dc=com"
        credentials="secret"
      replica
        host=127.0.0.1:30389
        tls=yes
        bindmethod=simple
        binddn="uid=foobar,dc=example,dc=com"
        credentials="secret"

    This solution will work, but seems inelegant. Basically, it relies
    on the fact that stunnel does not verify the SSL certificate by
    default.

(2) Modify slapd so that it can use different certificates for different
    ports.  For example, I could start slapd on the slaves as follows:

    two# slapd -h ldap:/// ldap://0.0.0.0:10389/
    three# slapd -h ldap:/// ldap://0.0.0.0:10389/

    This would require the configuration file, slapd.conf, to be
    modified to support different TLS directives for the different
    ports. Better, the -h flag could be deprecated and the slapd.conf
    file could be augmented to have Listen and VirtualHost directives
    similar to those in apache's httpd.conf.

I'm interested in hearing alternate suggestions. I'm sure that (1) will
work for me, but I don't think I'm the only person who would like to use
TLS/SSL exclusively and who would also like to do load balancing. I
think that (2) is a better solution.

Yours,

Luca

--
Luca Filipozzi
[dpkg] We are the apt. Resistance is futile. You will be packaged.

Follow-Ups:
- RE: Load-Balanced LDAP Servers + TLS/SSL
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: error code 65
Next by Date: Re: connection timeout?
Index(es):
- Chronological
- Thread