[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL & load-balanced servers

To: openldap-software@OpenLDAP.org
Subject: Re: TLS/SSL & load-balanced servers
From: Luca Filipozzi <lucaf+openldap@ece.ubc.ca>
Date: Fri, 27 Jun 2003 22:12:18 -0700
Content-disposition: inline
In-reply-to: <115775015.1056749726@cadabra-dsl.stanford.edu>
Organization: UBC Electrical & Computer Engineering
References: <115775015.1056749726@cadabra-dsl.stanford.edu>
User-agent: Mutt/1.3.23i

On Fri, Jun 27, 2003 at 09:35:26PM -0700, Quanah Gibson-Mount wrote:
> I just ran into an interesting issue using TLS connections & load-balanced 
> servers.  Basically, each of our servers has its own cert 
> (ldap#.stanford.edu).  If I perform a search against the load-balanced name 
> (ldap.stanford.edu), ldapsearch fails, noting that the names don't match. 
> Is there an easy fix for this, or do I need to get an "ldap.stanford.edu" 
> cert that each of the servers uses?  And, will that even work inside 
> OpenLDAP?

You need to use subjectAltName.  For example, you could put the
following into your openssl .cnf configuration file when generating
certs for your load balanced servers:

subjectAltName=DNS:ldap.stanford.edu

Hope this helps,

Luca

-- 
Luca Filipozzi, ECE Dept. IT Manager, University of British Columbia
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D

References:
- TLS/SSL & load-balanced servers
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: TLS/SSL & load-balanced servers
Next by Date: filter on email for auth with pam_ldap
Index(es):
- Chronological
- Thread