[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS issue behind Cisco load balancer

Want to maintain credentials for both the actual LDAP server names and
the load balancer.  This would allow me to list the load balancer and
LDAP servers in the "HOST" line of /etc/ldap.conf.  That way if the load
balancer dies, LDAP will fail over directly to one of the LDAP servers.
At least until we get a redundant load balancer scenario.


-----Original Message-----
From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] 
Sent: Thursday, January 16, 2003 9:59 AM
To: Morong, Gerry
Cc: openldap-software@OpenLDAP.org
Subject: Re: TLS issue behind Cisco load balancer

On Wed, Jan 15, 2003 at 02:59:33PM -0600, Morong, Gerry wrote:

>        LDAP clients
>   _________|______________________
>  |__________LoadBalancer1_________|
>    |             |             |
>  ldapserver1  ldapserver2  ldapserver3
> Have three LDAP servers behind a load balancer.  Certain client TLS
> requests seem to be failing like "id -a username" and system logins.
> However, using the ldapsearch command with the -Z options seems to
> fine.  I am assuming the problem has to do with load balancer's
> not matching what is in the ldap servers certificate.  Have seen a
> couple of postings about using "subjectAltName" with the hostname of
> load balancer in the certificate on the LDAP server.  Have not been
> to include the "subjectAltName" successfully.

If the LDAP servers are *only* accessed through the load-balancer, why
not give them all the same certificate and key, using the DNS name
that resolves to the load-balancer address?

After all, the whole point of load-balancers is to make multiple
systems appear to be a single system to the clients. It makes sense to
have the backend systems claim the same ID...

On subjectAltName: yes, putting in multiple names is supposed to work.
Unfortunately, not all clients are capable of understanding the
subjectAltName data so it may not win you anything in practice.
( I have not tried this with LDAP, but I did find that Web browsers
failed to recognise subjectAltName data)

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |