On Fri, 2006-06-09 at 09:58 -0400, Jeremiah Martell wrote:
I actually had the TLS_REQCERT set to allow, not never, would this make a difference? The error I'm getting is "TLS: hostname (1.example.com) does not match common name in certificate (2.example.com)." I thought "allow" would keep this error from happening.
- Jeremiah
On 4/27/06, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
I can do an ldapsearch over SSL and non-SSL directly to one of the "behind the load balancer" LDAP servers. I can do an ldapsearch over non-SSL to the load balancer, but SSL to the load balancer fails - it looks like SSL connects fine, but nothing happens after that.
Im going to add some logging and see what I get. Hopefully it will shed more light on the matter. If you have any suggestions in the meantime I'd love to hear them. :-) I'lll try posting my results here when I get them.
- Jeremiah
On 4/26/06, Samuel Tran <stran@amnh.org> wrote:
On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
I'm having some troubles with using SSL over a LDAP load balancer. Without SSL everything works fine, but when I turn on SSL I get a failure. But if I use SSL and bypass the load balancer and point directly to a LDAP directry everything works fine again.
Is there something tricky or special I need to know to get this to work?
Hi Jeremiah,
What is the error message you got when trying to communicate with the LDAP load balancer over SSL? What DNS names did you use to contact the load balancer and each individual LDAP server? How did you create the SSL certificates for the LDAP servers?
I suspect that you haven't created the SSL certificates for the LDAP servers with the 'SubjectAltName' field set to the DNS name of the load balancer.
Hope this helps.
Sam
I know the load balancer is setup properly because another ldap client can connect to it with SSL and do searches ok.
The error message I got was just "-1" unable to connect.
With my openldap client I have the TLS_REQCERT option set to "never" in ldap.conf, so it shouldnt be a bad name in the certificate, right?
Using Ethereal it looks like a valid SSL session is initiated, but then there's no SSL data traffic afterwards. I'm at a loss as to what could be causing this. Any ideas on what to try or look for?
If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN or the 'SubjectAltName' in the server certificate don't matter.
What do you have in the LDAP log on the server that the connection is redirected to? Can you do an ldapsearch over SSL directly to one of the LDAP servers using its IP address?
Sam
Jeremiah,
I did the test with TLS_REQCERT set to 'allow' and got the same result
as you. I am not sure what they mean by 'bad certificate' in the manual
page of 'ldap.conf'.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/