Re: TLS issue behind Cisco load balancer

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Jan 15, 2003 at 02:59:33PM -0600, Morong, Gerry wrote:

>        LDAP clients
>   _________|______________________
>  |__________LoadBalancer1_________|
>    |             |             |
>  ldapserver1  ldapserver2  ldapserver3
> 
> 
> Have three LDAP servers behind a load balancer.  Certain client TLS
> requests seem to be failing like "id -a username" and system logins.
> However, using the ldapsearch command with the -Z options seems to work
> fine.  I am assuming the problem has to do with load balancer's hostname
> not matching what is in the ldap servers certificate.  Have seen a
> couple of postings about using "subjectAltName" with the hostname of the
> load balancer in the certificate on the LDAP server.  Have not been able
> to include the "subjectAltName" successfully.

If the LDAP servers are *only* accessed through the load-balancer, why
not give them all the same certificate and key, using the DNS name
that resolves to the load-balancer address?

After all, the whole point of load-balancers is to make multiple
systems appear to be a single system to the clients. It makes sense to
have the backend systems claim the same ID...

On subjectAltName: yes, putting in multiple names is supposed to work.
Unfortunately, not all clients are capable of understanding the
subjectAltName data so it may not win you anything in practice.
( I have not tried this with LDAP, but I did find that Web browsers
failed to recognise subjectAltName data)

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------