[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS issue behind Cisco load balancer
On Wed, Jan 15, 2003 at 02:59:33PM -0600, Morong, Gerry wrote:
> LDAP clients
> _________|______________________
> |__________LoadBalancer1_________|
> | | |
> ldapserver1 ldapserver2 ldapserver3
>
>
> Have three LDAP servers behind a load balancer. Certain client TLS
> requests seem to be failing like "id -a username" and system logins.
> However, using the ldapsearch command with the -Z options seems to work
> fine. I am assuming the problem has to do with load balancer's hostname
> not matching what is in the ldap servers certificate. Have seen a
> couple of postings about using "subjectAltName" with the hostname of the
> load balancer in the certificate on the LDAP server. Have not been able
> to include the "subjectAltName" successfully.
If the LDAP servers are *only* accessed through the load-balancer, why
not give them all the same certificate and key, using the DNS name
that resolves to the load-balancer address?
After all, the whole point of load-balancers is to make multiple
systems appear to be a single system to the clients. It makes sense to
have the backend systems claim the same ID...
On subjectAltName: yes, putting in multiple names is supposed to work.
Unfortunately, not all clients are capable of understanding the
subjectAltName data so it may not win you anything in practice.
( I have not tried this with LDAP, but I did find that Web browsers
failed to recognise subjectAltName data)
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------