Options 2 + load balancer.

 

Get a single SSL cert with your VIP’s name as cert’s name, then subjectaltnames with the 2 real server’s names and the vip name (some clients won’t use cert’s name if subjectaltname is used – or so I understand).

 

I do this for mirror-mode masters behind a VIP and 3 sets of load balancer round robin servers behind each environment’s VIP.

 

e.g.:

ldap-vip.hq (VIP), ldapmaster1.hq, ldapmaster2.hq (this vip pref’s ldapmaster1 is it’s available)

ldap-vip.prod (VIP), ldap01.prod, ldap02.prod (load balancer pretty much round-robin’s consecutive connections)

 

My 2 cents.

 

- chris

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett
Sent: Thursday, March 22, 2012 10:55 AM
To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org
Subject: RE: OPENLDAP & SSL -- FOR FAILOVER

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, John - 0442 - MITLL
Sent: Thursday, March 22, 2012 9:38 AM
To: openldap-technical@openldap.org
Subject: OPENLDAP & SSL -- FOR FAILOVER

 

Question:

 

Right now, we have two OpenLDAP servers running in Delta-syncrepl and talking fine.  All the clients are connecting to the primary over port 636.  The question is on the best (practices) way of getting the secondary server into the certificate without re-hashing all the clients to the failover server's certificate. 

 

1) Should I set up a Wildcard certificate?

2) Should I put both systems in the "subjectAltName" line and create the certifiate, etc?

3) DNS Round-Robin?

 

Not 100% sure in which direction to go. 

 

Dave Borresen

Solaris/Linux Systems Administrator

Surveillance Systems Group

MIT Lincoln Laboratory

244 Wood Street

Lexington, MA  02420

john.borresen@ll.mit.edu

[Aaron Bennett]

 

Hi Dave,

 

We’ve got the same setup here, about to be deployed into production and fairly well tested.  We’re using DNS Round Robin to serve up ‘ldap.clarku.edu’ with two N-Way multimaster servers behind it.  We settle on having a cert issued to ldap.clarku.edu with each of the component nodes as a subjectAltName and it’s worked well, allowing each node to communicate with either other via their actual hostnames and not having any issues there.

 

One suggestion if you are using RedHat 6 / CentOS 6, don’t use the vendor-supplied OpenLDAP build.  Not only is it old, it’s built against the never-to-be-sufficiently-dammed (or at least, not ready for prime time) Mozilla NSS library.  I’m using 2.4.30 built against OpenSSL and it hasn’t failed in any of our testing.

 

Best,

 

Aaron

 

---

Aaron Bennett

Manager, Systems Administration

Clark University ITS

 

 

 


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.