[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

Samuel Tran wrote:
On Fri, 2006-06-09 at 09:58 -0400, Jeremiah Martell wrote:
I actually had the TLS_REQCERT set to allow, not never, would this
make a difference? The error I'm getting is "TLS: hostname
(1.example.com) does not match common name in certificate
(2.example.com)." I thought "allow" would keep this error from

 - Jeremiah

On 4/27/06, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
I can do an ldapsearch over SSL and non-SSL directly to one of the
"behind the load balancer" LDAP servers. I can do an ldapsearch over
non-SSL to the load balancer, but SSL to the load balancer fails - it
looks like SSL connects fine, but nothing happens after that.

Im going to add some logging and see what I get. Hopefully it will
shed more light on the matter. If you have any suggestions in the
meantime I'd love to hear them. :-) I'lll try posting my results here
when I get them.

 - Jeremiah

On 4/26/06, Samuel Tran <stran@amnh.org> wrote:
On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
I'm having some troubles with using SSL over a LDAP load balancer.
Without SSL everything works fine, but when I turn on SSL I get a
failure. But if I use SSL and bypass the load balancer and point
directly to a LDAP directry everything works fine again.

Is there something tricky or special I need to know to get this to work?

Hi Jeremiah,

What is the error message you got when trying to communicate with the
LDAP load balancer over SSL? What DNS names did you use to contact the
load balancer and each individual LDAP server? How did you create the
SSL certificates for the LDAP servers?

I suspect that you haven't created the SSL certificates for the LDAP
servers with the 'SubjectAltName' field set to the DNS name of the load

Hope this helps.


I know the load balancer is setup properly because another ldap client
can connect to it with SSL and do searches ok.

The error message I got was just "-1" unable to connect.

With my openldap client I have the TLS_REQCERT option set to "never"
in ldap.conf, so it shouldnt be a bad name in the certificate, right?

Using Ethereal it looks like a valid SSL session is initiated, but
then there's no SSL data traffic afterwards. I'm at a loss as to what
could be causing this. Any ideas on what to try or look for?

If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN
or the 'SubjectAltName' in the server certificate don't matter.

What do you have in the LDAP log on the server that the connection is
redirected to? Can you do an ldapsearch over SSL directly to one of the
LDAP servers using its IP address?



I did the test with TLS_REQCERT set to 'allow' and got the same result
as you. I am not sure what they mean by 'bad certificate' in the manual
page of 'ldap.conf'.

Generally a bad certificate means a certificate whose signature cannot be verified by the SSL library, or a missing certificate. If a certificate is provided and the SSL library can verify it, then it will be used. If the hostname doesn't match, the connection will fail. I.e., hostname matches are never ignored once the certificate is verified. For a load balancing situation you must use subjectAltName's with the relevant names, that's all there is to it.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/