Re: load balancer with SSL

["Jeremiah Martell" <inlovewithgod@gmail.com>]

I actually had the TLS_REQCERT set to allow, not never, would this
make a difference? The error I'm getting is "TLS: hostname
(1.example.com) does not match common name in certificate
(2.example.com)." I thought "allow" would keep this error from
happening.

- Jeremiah

On 4/27/06, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
> I can do an ldapsearch over SSL and non-SSL directly to one of the
> "behind the load balancer" LDAP servers. I can do an ldapsearch over
> non-SSL to the load balancer, but SSL to the load balancer fails - it
> looks like SSL connects fine, but nothing happens after that.
>
> Im going to add some logging and see what I get. Hopefully it will
> shed more light on the matter. If you have any suggestions in the
> meantime I'd love to hear them. :-) I'lll try posting my results here
> when I get them.
>
>  - Jeremiah
>
> On 4/26/06, Samuel Tran <stran@amnh.org> wrote:
> > On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
> > > On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
> > > > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
> > > > > I'm having some troubles with using SSL over a LDAP load balancer.
> > > > > Without SSL everything works fine, but when I turn on SSL I get a
> > > > > failure. But if I use SSL and bypass the load balancer and point
> > > > > directly to a LDAP directry everything works fine again.
> > > > >
> > > > > Is there something tricky or special I need to know to get this to work?
> > > > >
> > > >
> > > > Hi Jeremiah,
> > > >
> > > > What is the error message you got when trying to communicate with the
> > > > LDAP load balancer over SSL? What DNS names did you use to contact the
> > > > load balancer and each individual LDAP server? How did you create the
> > > > SSL certificates for the LDAP servers?
> > > >
> > > > I suspect that you haven't created the SSL certificates for the LDAP
> > > > servers with the 'SubjectAltName' field set to the DNS name of the load
> > > > balancer.
> > > >
> > > > Hope this helps.
> > > >
> > > > Sam
> > > >
> > > >
> > > >
> > > >
> > >
> > > I know the load balancer is setup properly because another ldap client
> > > can connect to it with SSL and do searches ok.
> > >
> > > The error message I got was just "-1" unable to connect.
> > >
> > > With my openldap client I have the TLS_REQCERT option set to "never"
> > > in ldap.conf, so it shouldnt be a bad name in the certificate, right?
> > >
> > > Using Ethereal it looks like a valid SSL session is initiated, but
> > > then there's no SSL data traffic afterwards. I'm at a loss as to what
> > > could be causing this. Any ideas on what to try or look for?
> > >
> >
> > If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN
> > or the 'SubjectAltName' in the server certificate don't matter.
> >
> > What do you have in the LDAP log on the server that the connection is
> > redirected to? Can you do an ldapsearch over SSL directly to one of the
> > LDAP servers using its IP address?
> >
> > Sam
> >
> >
>
>
> --
>  - Jeremiah
>  inlovewithGod@gmail.com


--
- Jeremiah
inlovewithGod@gmail.com