Aaron Richton wrote:
> I don't see this...
You're seeing the correct behavior; libldap was changed along these
lines back in April 2003. If someone is trying this and getting a
different behavior they must be using a very very old library.
> [put NotTheCert in /etc/hosts]
>
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
> '(doesnt=exist)'
> No such object (32)
> $ ed ldap.conf
> 633
> 1,$s/never/demand/p
> TLS_REQCERT demand
> w
> 634
> q
> $ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
> '(doesnt=exist)'
> ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
> certificate
>
> Certainly appears to instigate different behavior to me.
>
> However, the whole point of the load balancer is to make everything look
> the same. Toward that end, why would you want server1 and server2 to
> look different--might as well lose the load balancer at that point. With
> the load balancer, either use subjectAltNames, or just get a cert for
> "loadbalancer.example.com" and use that. We do the latter; I don't
> *want* the users to see that they're connected to server1 or server2 or....
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/