[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: load balancer with SSL
On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
> On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
> > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
> > > I'm having some troubles with using SSL over a LDAP load balancer.
> > > Without SSL everything works fine, but when I turn on SSL I get a
> > > failure. But if I use SSL and bypass the load balancer and point
> > > directly to a LDAP directry everything works fine again.
> > >
> > > Is there something tricky or special I need to know to get this to work?
> > >
> >
> > Hi Jeremiah,
> >
> > What is the error message you got when trying to communicate with the
> > LDAP load balancer over SSL? What DNS names did you use to contact the
> > load balancer and each individual LDAP server? How did you create the
> > SSL certificates for the LDAP servers?
> >
> > I suspect that you haven't created the SSL certificates for the LDAP
> > servers with the 'SubjectAltName' field set to the DNS name of the load
> > balancer.
> >
> > Hope this helps.
> >
> > Sam
> >
> >
> >
> >
>
> I know the load balancer is setup properly because another ldap client
> can connect to it with SSL and do searches ok.
>
> The error message I got was just "-1" unable to connect.
>
> With my openldap client I have the TLS_REQCERT option set to "never"
> in ldap.conf, so it shouldnt be a bad name in the certificate, right?
>
> Using Ethereal it looks like a valid SSL session is initiated, but
> then there's no SSL data traffic afterwards. I'm at a loss as to what
> could be causing this. Any ideas on what to try or look for?
>
If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN
or the 'SubjectAltName' in the server certificate don't matter.
What do you have in the LDAP log on the server that the connection is
redirected to? Can you do an ldapsearch over SSL directly to one of the
LDAP servers using its IP address?
Sam