[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple ldap servers, ssl, and dns round robin?


i had the same problem a some time ago.
I found some previous posts on this list
to this topic but they can't help me.

They sad something about using a alternative
name in the ssl cert.
I did not work. I think its simply not possible to
use more than one FQDN in a ssl cert.
I'm no ssl guru so correct me if this is wrong.

I solved my problem with ssh tunnels.
Now my replication works over SSL tunnels and my balanced
Servers have the FQDN of my balancer in its ssl cert.

It works ...

I created a 'sshtunnel' user on both the clients and the master.
Than i generated a key pair on the master for this user and copied
the public key over to the slaves. You should use no Passphrase.
After you have successfully tested the key by loging into the machine
with keyauthentication you can set the shell to /bin/false for sshtunnel.

I start the tunnels with the following commands in my init scripts as user 'sshtunnel':
/usr/bin/ssh -2 -N -f -L 10389:localhost:389 ldap01.mydomain.de
/usr/bin/ssh -2 -N -f -L 12389:localhost:389 ldap02.mydomain.de

This forwards port localhost:10389 over SSH tunnel to localhost:389 on the slave.

Markus Benning

On Wed, Nov 28, 2001 at 02:03:15AM -0500, Michael Cunningham wrote:
> Hiya,
> I have 4 ldap servers that I would like to put in a 
> dns round robin for performance reasons. 
> ldap1.xpedite.com
> ldap2.xpedite.com
> ldap3.xpedite.com
> ldap4.xpedite.com
> I would like to use the name "ldap.xpedite.com"
> as the dns round robin name. 
> ldap1 is the master ldap server and the rest are replicates. 
> They currently replicate using ssl which I need to keep. 
> The ssl certificates where generated using a FQDN. 
> Example: ldaptest1.xpedite.com
> Replication via ssl works great and ssl transactions to each 
> server individually using their real FQDN work well. When I 
> attempt to access the round robin as ldap.xpedite.com, ssl
> transactions refuse to work. I realize that it is failing 
> because the cert is generated for the FQDN of the individual
> server.. not the round robin name (ldap.xpedite.com). 
> Is there a way I can give a server multiple names in a cert
> such as ldap1, ldap1.xpedite.com, ldap.xpedite.com, ldap, IP Addr, etc..
> so the client will accept the cert if it is called by
> ldap1.xpedite.com or ldap.xpedite.com, or etc.. ? 
> Some sort of aliasing in ssl certs perhaps? 
> I am using openssl to generate and self sign the ssl certificates.
> Thanks for any assistance you can offer.. 
> Mike

Markus Benning

   /V\     Tel. : +49 9131 7 21713
 /(   )\   Email: Markus.Benning@siemens.com
  ^^-^^    __________________________________