[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OL, SSL/TLS, and load balancing
Just a followup on this, moved to openldap-software ...
On Monday, May 3, 2004, at 11:28 AM, Quanah Gibson-Mount wrote:
In working with OpenLDAP, and trying to maintain a load-balanced pool
of servers which can be made available to campus, I've run into an
issue when wanting to use/enable SSL and/or TLS. The main issue comes
down to how SSL/TLS handling is done in OpenLDAP. In general, the
cert DN must match the servername.
We're lucky to be able to use our own certificate authority for this,
and in case it may be interesting to anyone else, the following seems
to work here. Supposing a cluster vildap with members ildap01, ...
1. Host certificate - specified in slapd.conf TLSCertificateFile
dn: cn=vildap.washington.edu, ...
subjectAltName: DNS:vildap.u.washington.edu,
DNS:ildap01.washington.edu
2. Client certificate - specified in /.ldaprc
dn: cn=ildap01.washington.edu, ...
The client certificate is used by some internal procedures, notably
slurpd.
This works with several recent vintages of OpenLDAP, and it works
with Windows - "all" Windows platforms, I'm told. I think the dual
name in subjectAltName is unnecessary, we only need the canonical
name there, but our certificate authority wanted to do it this way
and it hasn't hurt anything. Our DNS cluster software is fairly
simple: it returns A records for the cluster members, and the IPs
point back to the canonical names for their respective hosts.
Donn Cave, donn@u.washington.edu