Re: SSL certificates, kerberos keytabs, and load balancing

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Quanah Gibson-Mount <quanah@stanford.edu> writes:

> --On Friday, April 09, 2004 3:26 PM +0200 denis.havlik@t-mobile.at wrote:
>
>>
>> Hi, folks
>>
>> I'm trying to figure out what happens when one starts doing the load
>> balancing with LDAP servers. Don't really need it today, but it seams to
>> be a good day for such questions. :-)
>>
>> So, we have N machines called ldapX.mydomain that all answer to requests
>> sent to "ldap.mydomain". As far as "certificates"/"keys" go, there are
>> two things that can go wrong:
[...]
>> 2) ssl certificate
>>
>> OK, which name is used here? ldap.mydomain on all the servers, or
>> different certificate (issued for ldapX.mydomain) for each of the
>> servers?
>>
>> Btw, could someone point me to a piece of documentation explaining
>> step-by-step how to set up load balancing 4 LDAP?
>
> Good question about what it will want cert wise.  I do *not* suggest
> software load balancing and SSL.  For that to work, you need a * cert.
> We currently use software load balancing, and are unable to use TLS
> because the call to "ldap.stanford.edu" will return the server's real
> cert (ldapX.stanford.edu).  If I use a different cert for the server
> (ldap.stanford.edu), I get a host name mismatch.  So you'll have to
> use hardware load balancing.  I plan to test that with Stanford's
> directory servers in the future, but that is a future project. ;)

To solve the host mismatch problem in certificates you may addionally
use the attribute subjectAltName, i.e. 
commonName=ldap1.example.com
subjectAltName=commonName: ldap.example.com

-Dieter


-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de