[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

To: James Bourne <jbourne@mtroyal.ca>
Subject: Re: load balancer with SSL
From: Howard Chu <hyc@symas.com>
Date: Thu, 19 Oct 2006 13:11:30 -0700
Cc: Jeremiah Martell <inlovewithgod@gmail.com>, OpenLDAP Software List <OpenLDAP-software@openldap.org>, Dieter Kluenter <dieter@dkluenter.de>
In-reply-to: <Pine.LNX.4.64.0610191016550.7705@skuld.mtroyal.ca>
References: <233eb300604240755n531cf8e2vbca23c8e476a2938@mail.gmail.com> <1146083365.6026.9.camel@zephyr.internal.amnh.org> <233eb300604270446m4c1a2c12hb1fefbafe41e3cdb@mail.gmail.com> <233eb300606090658i1f5fa8bfx940f6f3d185aadbf@mail.gmail.com> <1149866630.28931.7.camel@localhost> <4489BFBC.2020009@symas.com> <233eb300610180942h1341837bjb2d3386389ffd229@mail.gmail.com> <87zmbt5wfd.fsf@rubin.l4b.de> <233eb300610181113r3052e175m6cf08ad5db462af1@mail.gmail.com> <87mz7t5npf.fsf@rubin.l4b.de> <233eb300610190654o6bbb005cs159fef079ece5fd6@mail.gmail.com> <45379F53.7070107@symas.com> <Pine.LNX.4.64.0610191016550.7705@skuld.mtroyal.ca>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060911 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

James Bourne wrote:

At any rate I can say that load balancers with SSL do work even on 2.0.27
(as that is what our current cluster of ldap servers are).

When you create the certificate simpley make the hostname in the cert the
hostname of the cluster IP for your load balancer, then add the real server
name as the subjectAltName of the certificate.  This will allow you to
replicate over SSL to the real server name (on the private network) and
still query the cluster hostname with SSL and not get certificate errors.

This is in the FAQ isn't it?

It probably is, why don't you look? Add it yourself if it's missing, that's what the FAQ-o-Matic is for.

Anyway, as I wrote in the Admin Guide, http://www.openldap.org/doc/admin23/tls.html you should use the real hostname as the CN of the cert DN, and put the cluster name in as an alias. Opposite of what you suggested. Ultimately it works either way.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- Re: load balancer with SSL
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>
- Re: load balancer with SSL
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: load balancer with SSL
  - From: "Jeremiah Martell" <inlovewithgod@gmail.com>
- Re: load balancer with SSL
  - From: Howard Chu <hyc@symas.com>
- Re: load balancer with SSL
  - From: James Bourne <jbourne@mtroyal.ca>

Prev by Date: Re: only one slurp per machine ?
Next by Date: Re: slapd issue
Index(es):
- Chronological
- Thread