[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: load balancer with SSL

James Bourne wrote:
At any rate I can say that load balancers with SSL do work even on 2.0.27
(as that is what our current cluster of ldap servers are).

When you create the certificate simpley make the hostname in the cert the
hostname of the cluster IP for your load balancer, then add the real server
name as the subjectAltName of the certificate.  This will allow you to
replicate over SSL to the real server name (on the private network) and
still query the cluster hostname with SSL and not get certificate errors.

This is in the FAQ isn't it?

It probably is, why don't you look? Add it yourself if it's missing, that's what the FAQ-o-Matic is for.

Anyway, as I wrote in the Admin Guide, http://www.openldap.org/doc/admin23/tls.html you should use the real hostname as the CN of the cert DN, and put the cluster name in as an alias. Opposite of what you suggested. Ultimately it works either way.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/