Our clients are mainly nss_ldap connecting with starttls so looks
like our best bet is either wildcard cert or SubjectAltName.
SubjectAltName seems a bit more complicated to do, as in openssl I
will have to edit the openssl.cnf file and add all the hostnames and
recreate the CSR. We use a local CA here for signing all the
certificates used in protected communications.
Thanks,
Daniel
On 11-08-27 3:45 PM, Marco Schirrmeister wrote:
To avoid all this name problems and to keep things
simple I use a wildcard certificate.
This cert is also used on the real servers and on the load
balancer.
The load balancer terminates the ssl connection for port 636
and creates a new session to the backend server.
The reason that I have also the wildcard cert also on the
backend servers is for secure connections over 389.
The load balancer doesn't speak the ldap protocol, so if a
client is doing a starttls he would get the cert from the real
server.
If 389 is not needed, then I think 1 or 2 certs on a load
balancer would be enough.Â
The replication works also with self-signed certs if
configured correctly.
--
Marco
On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote:
Still not sure how
you did it. Are you saying you set the same certificate in
slapd and played with DNS to make it look like only one
server(URL) to everyone?
Thanks,
Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I
did:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/
secondary names of the servers.
That way, the servers can sync/tryst each other via
the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use
the primary name if subjectaltname exists - so
include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology
Services Group
Apollo Group | Apollo Marketing and Product
Developmentï |ï Aptimus, Inc.
2001 6th Aveï |ï Suite 3200ï |ï Seattle, WA
98121
direct 206.839.8245ï |ï cell 206.601.3256ï |ïÂ
fax 206.839.8106
email chris.jacobs@apollogrp.edu
From the openldap website the two nodes have to use
different URLs like below:
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
and
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
I can set two different certificates so that TLS is fine
for sync between the two nodes. However we will have
regular Ldap client access these two nodes behind a
loadbalancer over TLS too. Obviously the client can't
connect with ldap-sid2.example.com,
nor with ldap-sid1.example.com.
So what is the solution to this scenario? Setup a pool
of consumers with same hostname?
Thanks,
Daniel
This
message is private and confidential. If you have
received it in error, please notify the sender and
remove it from your system.
|