[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL certificates, kerberos keytabs, and load balancing



Quanah Gibson-Mount wrote:
>
> I do *not* suggest software load balancing and SSL.

The term "software load balancing" is quite misleading.
What exactly do you mean with it?

> For that to work, you need a * cert.
> We currently use software load balancing, and are unable to use TLS
> because the call to "ldap.stanford.edu" will return the server's real
> cert (ldapX.stanford.edu).  If I use a different cert for the server
> (ldap.stanford.edu), I get a host name mismatch.

So you're probably talking about load-balancing with DNS round-robin by defining multiple CNAME records. Please be exact to avoid confusion.

> So you'll have to use hardware load balancing.

Again the term "hardware load balancing" is quite loose. I generally dislike classification like this since every IT system I know of is hardware and software.

If you're talking about devices like Alteon switches or similar put in front of the LDAP server note that this device is the SSL connection end-point. You won't be able to use SASL EXTERNAL with client certs then. Probably not a big deal with your Kerberos-based setup but maybe not the right choice for other environments.

IMHO the best solution is when the LDAP application itself is capable of providing load-balancing and fail-over. But these LDAP applications are *very* rare.

Ciao, Michael.