Re: SSL certificates, kerberos keytabs, and load balancing

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, April 09, 2004 3:26 PM +0200 denis.havlik@t-mobile.at wrote:

> Hi, folks
>
> I'm trying to figure out what happens when one starts doing the load
> balancing with LDAP servers. Don't really need it today, but it seams to
> be a good day for such questions. :-)
>
> So, we have N machines called ldapX.mydomain that all answer to requests
> sent to "ldap.mydomain". As far as "certificates"/"keys" go, there are
> two things that can go wrong:
>
> 1) kerberos key
>
> As far as the kerberos keyfile goes, every machine really has to have a
> key for ldap/ldapX.mydomain, because kerberos will do reverse name
> mapping, and does not care that the machine happens to answer to
> "ldap.mydomain" alias. Ad acta?
>
> 2) ssl certificate
>
> OK, which name is used here? ldap.mydomain on all the servers, or
> different certificate (issued for ldapX.mydomain) for each of the
> servers?
>
> Btw, could someone point me to a piece of documentation explaining
> step-by-step how to set up load balancing 4 LDAP?

Good question about what it will want cert wise.  I do *not* suggest 
software load balancing and SSL.  For that to work, you need a * cert.  We 
currently use software load balancing, and are unable to use TLS because 
the call to "ldap.stanford.edu" will return the server's real cert 
(ldapX.stanford.edu).  If I use a different cert for the server 
(ldap.stanford.edu), I get a host name mismatch.  So you'll have to use 
hardware load balancing.  I plan to test that with Stanford's directory 
servers in the future, but that is a future project. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html