[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

To: <OpenLDAP-software@openldap.org>
Subject: Re: load balancer with SSL
From: "Jonathan Higgins" <jhiggins@kennesaw.edu>
Date: Thu, 19 Oct 2006 08:35:32 -0400
Content-disposition: inline

>>"or just get a cert for "loadbalancer.example.com" and use that."

This is exactly what we do for load balancing.  We use the same cert on
each node.
We use ssh tunnels for slurpd replication to get past unencrypted
replication. (OL v2.2.29)

Jonathan Higgins
Assoc Director Network & Security
Kennesaw State University
jhiggins@kennesaw.edu


>>> Aaron Richton <richton@nbcs.rutgers.edu> 10/18 2:28 PM >>>
I don't see this...

[put NotTheCert in /etc/hosts]

$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
'(doesnt=exist)'
No such object (32)
$ ed ldap.conf
633
1,$s/never/demand/p
TLS_REQCERT     demand
w
634
q
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
'(doesnt=exist)'
ldap_start_tls: Connect error (-11)
         additional info: TLS: hostname does not match CN in peer
certificate

Certainly appears to instigate different behavior to me.

However, the whole point of the load balancer is to make everything
look 
the same. Toward that end, why would you want server1 and server2 to
look 
different--might as well lose the load balancer at that point. With the

load balancer, either use subjectAltNames, or just get a cert for 
"loadbalancer.example.com" and use that. We do the latter; I don't
*want* 
the users to see that they're connected to server1 or server2 or....

Prev by Date: Re: only one slurp per machine ?
Next by Date: Re: only one slurp per machine ?
Index(es):
- Chronological
- Thread