James Bourne wrote:
At any rate I can say that load balancers with SSL do work even on 2.0.27 (as that is what our current cluster of ldap servers are).
When you create the certificate simpley make the hostname in the cert the hostname of the cluster IP for your load balancer, then add the real server name as the subjectAltName of the certificate. This will allow you to replicate over SSL to the real server name (on the private network) and still query the cluster hostname with SSL and not get certificate errors.
This is in the FAQ isn't it?
It probably is, why don't you look? Add it yourself if it's missing, that's what the FAQ-o-Matic is for.
Anyway, as I wrote in the Admin Guide, http://www.openldap.org/doc/admin23/tls.html you should use the real hostname as the CN of the cert DN, and put the cluster name in as an alias. Opposite of what you suggested. Ultimately it works either way.