[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL, SSL/TLS, and load balancing

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: OL, SSL/TLS, and load balancing
From: Donn Cave <donn@u.washington.edu>
Date: Fri, 14 May 2004 12:55:12 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <6126849.1083583690@cadabra.stanford.edu>

Just a followup on this, moved to openldap-software ...

On Monday, May 3, 2004, at 11:28 AM, Quanah Gibson-Mount wrote:

In working with OpenLDAP, and trying to maintain a load-balanced pool of servers which can be made available to campus, I've run into an issue when wanting to use/enable SSL and/or TLS. The main issue comes down to how SSL/TLS handling is done in OpenLDAP. In general, the cert DN must match the servername.


We're lucky to be able to use our own certificate authority for this,
and in case it may be interesting to anyone else, the following seems
to work here.  Supposing a cluster vildap with members ildap01, ...

1. Host certificate - specified in slapd.conf TLSCertificateFile dn: cn=vildap.washington.edu, ... subjectAltName: DNS:vildap.u.washington.edu, DNS:ildap01.washington.edu

2. Client certificate - specified in /.ldaprc
   dn: cn=ildap01.washington.edu, ...

The client certificate is used by some internal procedures, notably
slurpd.

This works with several recent vintages of OpenLDAP, and it works
with Windows - "all" Windows platforms, I'm told.  I think the dual
name in subjectAltName is unnecessary, we only need the canonical
name there, but our certificate authority wanted to do it this way
and it hasn't hurt anything.  Our DNS cluster software is fairly
simple:  it returns A records for the cluster members, and the IPs
point back to the canonical names for their respective hosts.

	Donn Cave, donn@u.washington.edu

Prev by Date: Re: Preference for editing ACLs
Next by Date: Proxying a subtree with OpenLDAP
Index(es):
- Chronological
- Thread