[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: load balancer with SSL
I can do an ldapsearch over SSL and non-SSL directly to one of the
"behind the load balancer" LDAP servers. I can do an ldapsearch over
non-SSL to the load balancer, but SSL to the load balancer fails - it
looks like SSL connects fine, but nothing happens after that.
Im going to add some logging and see what I get. Hopefully it will
shed more light on the matter. If you have any suggestions in the
meantime I'd love to hear them. :-) I'lll try posting my results here
when I get them.
- Jeremiah
On 4/26/06, Samuel Tran <stran@amnh.org> wrote:
> On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
> > On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
> > > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
> > > > I'm having some troubles with using SSL over a LDAP load balancer.
> > > > Without SSL everything works fine, but when I turn on SSL I get a
> > > > failure. But if I use SSL and bypass the load balancer and point
> > > > directly to a LDAP directry everything works fine again.
> > > >
> > > > Is there something tricky or special I need to know to get this to work?
> > > >
> > >
> > > Hi Jeremiah,
> > >
> > > What is the error message you got when trying to communicate with the
> > > LDAP load balancer over SSL? What DNS names did you use to contact the
> > > load balancer and each individual LDAP server? How did you create the
> > > SSL certificates for the LDAP servers?
> > >
> > > I suspect that you haven't created the SSL certificates for the LDAP
> > > servers with the 'SubjectAltName' field set to the DNS name of the load
> > > balancer.
> > >
> > > Hope this helps.
> > >
> > > Sam
> > >
> > >
> > >
> > >
> >
> > I know the load balancer is setup properly because another ldap client
> > can connect to it with SSL and do searches ok.
> >
> > The error message I got was just "-1" unable to connect.
> >
> > With my openldap client I have the TLS_REQCERT option set to "never"
> > in ldap.conf, so it shouldnt be a bad name in the certificate, right?
> >
> > Using Ethereal it looks like a valid SSL session is initiated, but
> > then there's no SSL data traffic afterwards. I'm at a loss as to what
> > could be causing this. Any ideas on what to try or look for?
> >
>
> If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN
> or the 'SubjectAltName' in the server certificate don't matter.
>
> What do you have in the LDAP log on the server that the connection is
> redirected to? Can you do an ldapsearch over SSL directly to one of the
> LDAP servers using its IP address?
>
> Sam
>
>
--
- Jeremiah
inlovewithGod@gmail.com