[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL, SSL/TLS, and load balancing

Just a followup on this, moved to openldap-software ...

On Monday, May 3, 2004, at 11:28 AM, Quanah Gibson-Mount wrote:

In working with OpenLDAP, and trying to maintain a load-balanced pool of servers which can be made available to campus, I've run into an issue when wanting to use/enable SSL and/or TLS. The main issue comes down to how SSL/TLS handling is done in OpenLDAP. In general, the cert DN must match the servername.

We're lucky to be able to use our own certificate authority for this, and in case it may be interesting to anyone else, the following seems to work here. Supposing a cluster vildap with members ildap01, ...

1. Host certificate - specified in slapd.conf TLSCertificateFile
dn: cn=vildap.washington.edu, ...
subjectAltName: DNS:vildap.u.washington.edu, DNS:ildap01.washington.edu

2. Client certificate - specified in /.ldaprc
   dn: cn=ildap01.washington.edu, ...

The client certificate is used by some internal procedures, notably

This works with several recent vintages of OpenLDAP, and it works
with Windows - "all" Windows platforms, I'm told.  I think the dual
name in subjectAltName is unnecessary, we only need the canonical
name there, but our certificate authority wanted to do it this way
and it hasn't hurt anything.  Our DNS cluster software is fairly
simple:  it returns A records for the cluster members, and the IPs
point back to the canonical names for their respective hosts.

	Donn Cave, donn@u.washington.edu