[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL certificates, kerberos keytabs, and load balancing

--On Friday, April 09, 2004 3:26 PM +0200 denis.havlik@t-mobile.at wrote:

Hi, folks

I'm trying to figure out what happens when one starts doing the load
balancing with LDAP servers. Don't really need it today, but it seams to
be a good day for such questions. :-)

So, we have N machines called ldapX.mydomain that all answer to requests
sent to "ldap.mydomain". As far as "certificates"/"keys" go, there are
two things that can go wrong:

1) kerberos key

As far as the kerberos keyfile goes, every machine really has to have a
key for ldap/ldapX.mydomain, because kerberos will do reverse name
mapping, and does not care that the machine happens to answer to
"ldap.mydomain" alias. Ad acta?

2) ssl certificate

OK, which name is used here? ldap.mydomain on all the servers, or
different certificate (issued for ldapX.mydomain) for each of the

Btw, could someone point me to a piece of documentation explaining
step-by-step how to set up load balancing 4 LDAP?

Good question about what it will want cert wise. I do *not* suggest software load balancing and SSL. For that to work, you need a * cert. We currently use software load balancing, and are unable to use TLS because the call to "ldap.stanford.edu" will return the server's real cert (ldapX.stanford.edu). If I use a different cert for the server (ldap.stanford.edu), I get a host name mismatch. So you'll have to use hardware load balancing. I plan to test that with Stanford's directory servers in the future, but that is a future project. ;)


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html