[Date Prev][Date Next] [Chronological] [Thread] [Top]

OL, SSL/TLS, and load balancing

In working with OpenLDAP, and trying to maintain a load-balanced pool of servers which can be made available to campus, I've run into an issue when wanting to use/enable SSL and/or TLS. The main issue comes down to how SSL/TLS handling is done in OpenLDAP. In general, the cert DN must match the servername.

When you use a software load balancer, this breaks client negotiated SSL/TLS, in that a bind to "ldap.stanford.edu" will come back with a bind to "ldap6.stanford.edu". Since "ldap.stanford.edu" != "ldap6.stanford.edu", the bind will fail.

When you use a hardware load balance, this will break SSL/TLS encrypted replication, since doing an update to "ldap6.stanford.edu" will return a cert of "ldap.stanford.edu".

One fix for this would be using a star cert, with "ldap.stanford.edu" in the subjectAltName. However, I cannot find a cert vendor (which, for the time being, I must use) that will issue this. The closest I can get is a cert with "*.stanford.edu" in the DN field. However, the RFC discussing star certs only mentions them being present in the subjectAltName field, which means that cert is rejected. On the other hand, ever other application and client we've used this cert with accepts it as valid -- It is only OL that is being picky about the RFC here.

I do think the capability to load balance directory servers is an important one, and is something that is going to impact a large number of potential users of OpenLDAP. So my question here is, should OL really be this stringent on the RFC about star certs in this case? It is obvious the intent of the cert is to give the star capabilities, even if the location is incorrect.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html