[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL & load-balanced servers

To: "'Quanah Gibson-Mount'" <quanah@stanford.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: TLS/SSL & load-balanced servers
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 28 Jun 2003 03:39:57 -0700
Importance: Normal
In-reply-to: <115775015.1056749726@cadabra-dsl.stanford.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
> Gibson-Mount

> Hello,
>
> I just ran into an interesting issue using TLS connections &
> load-balanced
> servers.  Basically, each of our servers has its own cert
> (ldap#.stanford.edu).  If I perform a search against the
> load-balanced name
> (ldap.stanford.edu), ldapsearch fails, noting that the names
> don't match.
> Is there an easy fix for this, or do I need to get an
> "ldap.stanford.edu"
> cert that each of the servers uses?  And, will that even work inside
> OpenLDAP?

This topic has come up before on this list. You need to add an X509v3
extension to your certs, subjectAltName, that lists valid aliases for the
servers. E.g., add subjectAltName=DNS:ldap.stanford.edu.

http://www.openldap.org/faq/data/cache/185.html

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- TLS/SSL & load-balanced servers
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Openldap for HP-UX
Next by Date: Re: filter on email for auth with pam_ldap
Index(es):
- Chronological
- Thread