[Date Prev][Date Next]
Re: SSL certificates, kerberos keytabs, and load balancing
Quanah Gibson-Mount wrote:
> I do *not* suggest software load balancing and SSL.
The term "software load balancing" is quite misleading.
What exactly do you mean with it?
> For that to work, you need a * cert.
> We currently use software load balancing, and are unable to use TLS
> because the call to "ldap.stanford.edu" will return the server's real
> cert (ldapX.stanford.edu). If I use a different cert for the server
> (ldap.stanford.edu), I get a host name mismatch.
So you're probably talking about load-balancing with DNS round-robin by
defining multiple CNAME records. Please be exact to avoid confusion.
> So you'll have to use hardware load balancing.
Again the term "hardware load balancing" is quite loose. I generally dislike
classification like this since every IT system I know of is hardware and
If you're talking about devices like Alteon switches or similar put in front
of the LDAP server note that this device is the SSL connection end-point.
You won't be able to use SASL EXTERNAL with client certs then. Probably not
a big deal with your Kerberos-based setup but maybe not the right choice for
IMHO the best solution is when the LDAP application itself is capable of
providing load-balancing and fail-over. But these LDAP applications are