[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: load balancer with SSL
On Fri, 2006-06-09 at 09:58 -0400, Jeremiah Martell wrote:
> I actually had the TLS_REQCERT set to allow, not never, would this
> make a difference? The error I'm getting is "TLS: hostname
> (1.example.com) does not match common name in certificate
> (2.example.com)." I thought "allow" would keep this error from
> happening.
>
> - Jeremiah
>
> On 4/27/06, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
> > I can do an ldapsearch over SSL and non-SSL directly to one of the
> > "behind the load balancer" LDAP servers. I can do an ldapsearch over
> > non-SSL to the load balancer, but SSL to the load balancer fails - it
> > looks like SSL connects fine, but nothing happens after that.
> >
> > Im going to add some logging and see what I get. Hopefully it will
> > shed more light on the matter. If you have any suggestions in the
> > meantime I'd love to hear them. :-) I'lll try posting my results here
> > when I get them.
> >
> > - Jeremiah
> >
> > On 4/26/06, Samuel Tran <stran@amnh.org> wrote:
> > > On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote:
> > > > On 4/24/06, Samuel Tran <stran@amnh.org> wrote:
> > > > > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote:
> > > > > > I'm having some troubles with using SSL over a LDAP load balancer.
> > > > > > Without SSL everything works fine, but when I turn on SSL I get a
> > > > > > failure. But if I use SSL and bypass the load balancer and point
> > > > > > directly to a LDAP directry everything works fine again.
> > > > > >
> > > > > > Is there something tricky or special I need to know to get this to work?
> > > > > >
> > > > >
> > > > > Hi Jeremiah,
> > > > >
> > > > > What is the error message you got when trying to communicate with the
> > > > > LDAP load balancer over SSL? What DNS names did you use to contact the
> > > > > load balancer and each individual LDAP server? How did you create the
> > > > > SSL certificates for the LDAP servers?
> > > > >
> > > > > I suspect that you haven't created the SSL certificates for the LDAP
> > > > > servers with the 'SubjectAltName' field set to the DNS name of the load
> > > > > balancer.
> > > > >
> > > > > Hope this helps.
> > > > >
> > > > > Sam
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > I know the load balancer is setup properly because another ldap client
> > > > can connect to it with SSL and do searches ok.
> > > >
> > > > The error message I got was just "-1" unable to connect.
> > > >
> > > > With my openldap client I have the TLS_REQCERT option set to "never"
> > > > in ldap.conf, so it shouldnt be a bad name in the certificate, right?
> > > >
> > > > Using Ethereal it looks like a valid SSL session is initiated, but
> > > > then there's no SSL data traffic afterwards. I'm at a loss as to what
> > > > could be causing this. Any ideas on what to try or look for?
> > > >
> > >
> > > If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN
> > > or the 'SubjectAltName' in the server certificate don't matter.
> > >
> > > What do you have in the LDAP log on the server that the connection is
> > > redirected to? Can you do an ldapsearch over SSL directly to one of the
> > > LDAP servers using its IP address?
> > >
> > > Sam
> > >
> > >
> >
Jeremiah,
I did the test with TLS_REQCERT set to 'allow' and got the same result
as you. I am not sure what they mean by 'bad certificate' in the manual
page of 'ldap.conf'.
If you set TLS_REQCERT to 'never', does it fix the problem you were
having with your LDAP load balancer?
Sam