Our clients are mainly nss_ldap connecting with starttls so looks
like our best bet is either wildcard cert or SubjectAltName.
SubjectAltName seems a bit more complicated to do, as in openssl I
will have to edit the openssl.cnf file and add all the hostnames and
recreate the CSR. We use a local CA here for signing all the
certificates used in protected communications.|
On 11-08-27 3:45 PM, Marco Schirrmeister wrote:
To avoid all this name problems and to keep things
simple I use a wildcard certificate.
This cert is also used on the real servers and on the load
The load balancer terminates the ssl connection for port 636
and creates a new session to the backend server.
The reason that I have also the wildcard cert also on the
backend servers is for secure connections over 389.
The load balancer doesn't speak the ldap protocol, so if a
client is doing a starttls he would get the cert from the real
If 389 is not needed, then I think 1 or 2 certs on a load
balancer would be enough.Â
The replication works also with self-signed certs if
On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote:
Still not sure how
you did it. Are you saying you set the same certificate in
slapd and played with DNS to make it look like only one
server(URL) to everyone?
On 11-08-26 4:03 PM, Chris Jacobs wrote:
* setup servers behind VIP
* obtain cert with primary name of vip DNS w/
secondary names of the servers.
That way, the servers can sync/tryst each other via
the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use
the primary name if subjectaltname exists - so
include primary name in the alt names JIC.
Chris Jacobs, Systems Administrator, Technology
Apollo Group | Apollo Marketing and Product
DevelopmentïÂ |ïÂ Aptimus, Inc.
2001 6th AveïÂ |ïÂ Suite 3200ïÂ |ïÂ Seattle, WA
direct 206.839.8245ïÂ |ïÂ cell 206.601.3256ïÂ |ïÂ
From the openldap website the two nodes have to use
different URLs like below:
I can set two different certificates so that TLS is fine
for sync between the two nodes. However we will have
regular Ldap client access these two nodes behind a
loadbalancer over TLS too. Obviously the client can't
connect with ldap-sid2.example.com,
nor with ldap-sid1.example.com.
So what is the solution to this scenario? Setup a pool
of consumers with same hostname?
message is private and confidential. If you have
received it in error, please notify the sender and
remove it from your system.