[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL certificates, kerberos keytabs, and load balancing

Hi, folks

I'm trying to figure out what happens when one starts doing the load balancing with LDAP servers. Don't really need it today, but it seams to be a good day for such questions. :-)

So, we have N machines called ldapX.mydomain that all answer to requests sent to "ldap.mydomain". As far as "certificates"/"keys" go, there are two things that can go wrong:

1) kerberos key

As far as the kerberos keyfile goes, every machine really has to have a key for ldap/ldapX.mydomain, because kerberos will do reverse name mapping, and does not care that the machine happens to answer to "ldap.mydomain" alias. Ad acta?

2) ssl certificate

OK, which name is used here? ldap.mydomain on all the servers, or different certificate (issued for ldapX.mydomain) for each of the servers?

Btw, could someone point me to a piece of documentation explaining step-by-step how to set up load balancing 4 LDAP?

T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                                   eMail: denis.havlik@t-mobile.at
Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237          
A-1030 Vienna                                        Fax:      +43-1-79-585/6584

Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Gesendet von: owner-openldap-software@OpenLDAP.org

09.04.2004 14:04

        An:        calvin.liu@sun.com
        Kopie:        openldap-software@OpenLDAP.org
        Thema:        Re: My OpenLDAP doesn't listen to port 636 ...  [Virus checked]

Calvin Liu writes:
> ldapsearch ... -h marathon ...

I don't know much about certificates, but:

The client verifies that the hostname in the server certificate matches
the hostname it connects to.  So the ldapsearch command needs the full
hostname which the certificate contains.  That is, presumably
marathon.prc.sun.com.  At least I *hope* you have a fully qualified
hostname in the certificate...

I think you can get it displayed and possibly verified
with the commands
 openssl x509 -enddate -noout < certificate-file
or by connecting to the server with the
 openssl s_client ...
command.  ('openssl s_client help' displays help.)

> BTW, where can I find more information about OpenLDAP besides the 'Admin
> Guide'?

The manual pages.

LDAP tutorials in general for what to put in LDAP and how to use it.
Google will find them, I don't know which ones are good.