[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple ldap servers, ssl, and dns round robin?

To: Markus Benning <benning@erlm.siemens.de>, openldap-software <openldap-software@OpenLDAP.org>
Subject: Re: Multiple ldap servers, ssl, and dns round robin?
From: Terry Davis <tdavis@birddog.com>
Date: Wed, 28 Nov 2001 02:23:56 -0600
References: <Pine.GSO.4.05.10111280150140.21607-100000@mailserver2.xpedite.com> <20011128091607.B18076@erls02.siemens.de>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.6) Gecko/20011120

you are using a single fqdn or hostname to access your ldap servers since they are in dns round robin correct? either recreate your certificates to use this single name or change your clients and dns to use the name or fqdn that the certificate expects.

Markus Benning wrote:

Hi,
i had the same problem a some time ago.
I found some previous posts on this list
to this topic but they can't help me.
They sad something about using a alternative
name in the ssl cert.
I did not work. I think its simply not possible to
use more than one FQDN in a ssl cert.
I'm no ssl guru so correct me if this is wrong.
I solved my problem with ssh tunnels.
Now my replication works over SSL tunnels and my balanced
Servers have the FQDN of my balancer in its ssl cert.
It works ...
I created a 'sshtunnel' user on both the clients and the master.
Than i generated a key pair on the master for this user and copied
the public key over to the slaves. You should use no Passphrase.
After you have successfully tested the key by loging into the machine
with keyauthentication you can set the shell to /bin/false for sshtunnel.
I start the tunnels with the following commands in my init scripts as user 'sshtunnel':
/usr/bin/ssh -2 -N -f -L 10389:localhost:389 ldap01.mydomain.de
/usr/bin/ssh -2 -N -f -L 12389:localhost:389 ldap02.mydomain.de
...
This forwards port localhost:10389 over SSH tunnel to localhost:389 on the slave.
--
Markus Benning
On Wed, Nov 28, 2001 at 02:03:15AM -0500, Michael Cunningham wrote:
Hiya,
I have 4 ldap servers that I would like to put in a dns round robin for performance reasons.
ldap1.xpedite.com
ldap2.xpedite.com
ldap3.xpedite.com
ldap4.xpedite.com
I would like to use the name "ldap.xpedite.com" as the dns round robin name.

ldap1 is the master ldap server and the rest are replicates. They currently replicate using ssl which I need to keep.

The ssl certificates where generated using a FQDN. Example: ldaptest1.xpedite.com

Replication via ssl works great and ssl transactions to each server individually using their real FQDN work well. When I attempt to access the round robin as ldap.xpedite.com, ssl transactions refuse to work. I realize that it is failing because the cert is generated for the FQDN of the individual server.. not the round robin name (ldap.xpedite.com). Is there a way I can give a server multiple names in a cert such as ldap1, ldap1.xpedite.com, ldap.xpedite.com, ldap, IP Addr, etc.. so the client will accept the cert if it is called by ldap1.xpedite.com or ldap.xpedite.com, or etc.. ? Some sort of aliasing in ssl certs perhaps? I am using openssl to generate and self sign the ssl certificates.

Thanks for any assistance you can offer..
Mike

Follow-Ups:
- Re: Multiple ldap servers, ssl, and dns round robin?
  - From: Markus Benning <benning@erlm.siemens.de>

References:
- Multiple ldap servers, ssl, and dns round robin?
  - From: Michael Cunningham <archive@xpedite.com>
- Re: Multiple ldap servers, ssl, and dns round robin?
  - From: Markus Benning <benning@erlm.siemens.de>

Prev by Date: Re: Multiple ldap servers, ssl, and dns round robin?
Next by Date: Dump Question - How to set the password for each user ?
Index(es):
- Chronological
- Thread