Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Hi,
This is the setup I would like to have.
LDAP clients _____________|___________________ | __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3
My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________ | __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash <neomatrixgem@gmail.com mailto:neomatrixgem@gmail.com> wrote:
Hi, This is the setup I would like to have. LDAP clients _____________|___________________ | __________LoadBalancer1_________ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com <http://ldapserver.example.com>" and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash <neomatrixgem@gmail.com <mailto:neomatrixgem@gmail.com>> wrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.com <http://ldap1.example.com> ldap2.example.com <http://ldap2.example.com> So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount <quanah@zimbra.com <mailto:quanah@zimbra.com>> wrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash <neomatrixgem@gmail.com <mailto:neomatrixgem@gmail.com>> wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 servers ldap1.example.com <http://ldap1.example.com> and ldap2.example.com <http://ldap2.example.com> I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Remember to include the VIP name in the subjectaltname list - some clients ignore the subject name if subjectaltname exists.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email mailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Sun Sep 11 12:09:30 2011 Subject: Re: Need Help On Master-Master Replication Setup!!
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote: Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote: Hi,
This is the setup I would like to have.
LDAP clients _____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3
My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.comhttp://ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote: Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.comhttp://ldap1.example.com ldap2.example.comhttp://ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount <quanah@zimbra.commailto:quanah@zimbra.com> wrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.comhttp://ldap1.example.com and ldap2.example.comhttp://ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
You mean to say if "server1.example.com" would be my VIP FQDN then the entries should be like this
subjectAltName = “DNS:server1.example.com, DNS:ldap-1.example.com, DNS: ldap-2.example.com,DNS: ldap-3.example.com”
Regards, Neo
On Sun, Sep 11, 2011 at 9:21 PM, Chris Jacobs Chris.Jacobs@apollogrp.eduwrote:
Remember to include the VIP name in the subjectaltname list - some clients ignore the subject name if subjectaltname exists.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc.
2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.orgopenldap-technical-bounces@OpenLDAP.org
*To*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Sun Sep 11 12:09:30 2011 *Subject*: Re: Need Help On Master-Master Replication Setup!!
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian daniel@up247solution.comwrote:
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
The subjectAltName should be a comma separated list of all the FQDNs of your servers plus FQDN for the VIP as Chris just pointed out in his reply.
On 11-09-11 3:28 PM, pradyumna dash wrote:
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian <daniel@up247solution.com mailto:daniel@up247solution.com> wrote:
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that. On 11-09-11 2:48 PM, pradyumna dash wrote:Guys, Please suggest !! Regards, Neo On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash <neomatrixgem@gmail.com <mailto:neomatrixgem@gmail.com>> wrote: Hi, This is the setup I would like to have. LDAP clients _____________|___________________ | __________LoadBalancer1_________ | | | | ldapserver1 ldapserver2 ldapserver3 My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com <http://ldapserver.example.com>" and then use this as a floating IP/hostname for the 3 ldapservers in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication. Please help. Regards, Neo On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash <neomatrixgem@gmail.com <mailto:neomatrixgem@gmail.com>> wrote: Hi, Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great. I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated. Example : ldap1.example.com <http://ldap1.example.com> ldap2.example.com <http://ldap2.example.com> So in the load balancer what to configure and how to create the certificate. Please help. Regards, Pradyumna On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount <quanah@zimbra.com <mailto:quanah@zimbra.com>> wrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash <neomatrixgem@gmail.com <mailto:neomatrixgem@gmail.com>> wrote: Hi, I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same. Suppose i have 2 servers ldap1.example.com <http://ldap1.example.com> and ldap2.example.com <http://ldap2.example.com> I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Thank you so much, I will try it tomorrow in case of any issues will get back.
As suggested, I will put the FQDN of 3 LDAP servers and also the FQDN of the VIP in the cert and create it.
Once again thanks for all your help.
/Neo
On Sun, Sep 11, 2011 at 9:32 PM, Daniel Qian daniel@up247solution.comwrote:
The subjectAltName should be a comma separated list of all the FQDNs of your servers plus FQDN for the VIP as Chris just pointed out in his reply.
On 11-09-11 3:28 PM, pradyumna dash wrote:
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian daniel@up247solution.comwrote:
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Yes, you do.
Subect : vip/lb Subjectaltnames : server1, server2, etc, vip/lb
Clients will 'use' the vip/lb name (including slaves); the servers will use server names for syncing.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: daniel@up247solution.com daniel@up247solution.com Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Sun Sep 11 12:28:20 2011 Subject: Re: Need Help On Master-Master Replication Setup!!
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian <daniel@up247solution.commailto:daniel@up247solution.com> wrote: The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote: Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote: Hi,
This is the setup I would like to have.
LDAP clients _____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3
My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.comhttp://ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote: Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.comhttp://ldap1.example.com ldap2.example.comhttp://ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount <quanah@zimbra.commailto:quanah@zimbra.com> wrote: --On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash <neomatrixgem@gmail.commailto:neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.comhttp://ldap1.example.com and ldap2.example.comhttp://ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Thank you so much, I will configure it tomorrow and get back with the results :)
Regards, Neo
On Sun, Sep 11, 2011 at 9:52 PM, Chris Jacobs Chris.Jacobs@apollogrp.eduwrote:
Yes, you do.
Subect : vip/lb Subjectaltnames : server1, server2, etc, vip/lb
Clients will 'use' the vip/lb name (including slaves); the servers will use server names for syncing.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.orgopenldap-technical-bounces@OpenLDAP.org
*To*: daniel@up247solution.com daniel@up247solution.com *Cc*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Sun Sep 11 12:28:20 2011
*Subject*: Re: Need Help On Master-Master Replication Setup!!
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian daniel@up247solution.comwrote:
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi,
I would like to setup OpenLDAP Mater-Master replication, before that i would like to know something more about it, because i never implemented the same.
Suppose i have 2 servers ldap1.example.com and ldap2.example.com
I will configure M-M replication with LDAPS, in this scenario how my architecture should be? Do i need to keep it behind the loadbalancer or what are the steps to do it? How come the client will come to know if any of the server is down, it will talk to the other server, because in my ldap.conf file i will have a single URI/host entry pointing to one of the server and also how to create the certificate, do i need 2 individiual certificate 1 for ldap1 and 1 for ldap2?
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Hi,
I have followed the below step but now am getting some error :
#vi /etc/ssl/openssl.cnf in the below section i have added the list of hosts [usr_cert]
subjectAltName = "DNS:ldap1.example.com http://server1.example.com/, DNS: ldap2.example.com http://ldap-1.example.com/, DNS: lbldap.example.comhttp://ldap-3.example.com/ ”
but am getting the below error while trying the openssl debug commnd :
SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:530 SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:580
Please help.
Regards, Neo
On Sun, Sep 11, 2011 at 10:00 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Thank you so much, I will configure it tomorrow and get back with the results :)
Regards, Neo
On Sun, Sep 11, 2011 at 9:52 PM, Chris Jacobs Chris.Jacobs@apollogrp.eduwrote:
Yes, you do.
Subect : vip/lb Subjectaltnames : server1, server2, etc, vip/lb
Clients will 'use' the vip/lb name (including slaves); the servers will use server names for syncing.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email mailto:chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.orgopenldap-technical-bounces@OpenLDAP.org
*To*: daniel@up247solution.com daniel@up247solution.com *Cc*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Sun Sep 11 12:28:20 2011
*Subject*: Re: Need Help On Master-Master Replication Setup!!
So i dont need to put the FQDN of the LB in the cert, right ?
Please correct me if am wrong, My client will point to the FQDN/IP of the LB which will internally distribute the traffic across the 3 backend LDAP servers, I was just confused whether to keep the LB FQDN in the cert.
Regards, Neo
On Sun, Sep 11, 2011 at 9:09 PM, Daniel Qian daniel@up247solution.comwrote:
The three servers in the LB pool can share one certificate. When you create the CSR for the certificate, you can specify ldapserver1, ldapserver2 & ldapserver3 for the subjectAltName field. Google with "subjectAltName" you should be able to find a lot of information how to do that.
On 11-09-11 2:48 PM, pradyumna dash wrote:
Guys,
Please suggest !!
Regards, Neo
On Fri, Sep 9, 2011 at 11:15 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
This is the setup I would like to have.
LDAP clients_____________|___________________
| __________LoadBalancer1_________ |
| | | ldapserver1 ldapserver2 ldapserver3My challange is I never did this kind of architecture before, So would like to know from LB prosepctive, How to configure it like say i have to create a DNS FQDN e.g "ldapserver.example.com" and then use this as a floating IP/hostname for the 3 ldapservers
in the backend? or whats should be done? The network team will do the setup but i need to tell them what to do. My next question would be i would like to configure LDAPS, so how to create the certificate i mean what to provide in common name or how to create a
certificate which can be shared across the servers, am using "openssl" ? I am using SLES 11(SP1) and the setup wiould be a Multi-Master replication.
Please help.
Regards, Neo
On Fri, Sep 9, 2011 at 8:14 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for the suggestion, but i never did it before , if you can share a doc or something would be great.
I use the openssl to generate the certificate, so even i dont know how to configure subjectAltNames. Also if you can explain a bit how i should i proceed would be appreciated.
Example : ldap1.example.com ldap2.example.com
So in the load balancer what to configure and how to create the certificate.
Please help.
Regards, Pradyumna
On Fri, Sep 9, 2011 at 7:35 PM, Quanah Gibson-Mount <quanah@zimbra.com
wrote:
--On Thursday, September 08, 2011 10:17 PM +0200 pradyumna dash < neomatrixgem@gmail.com> wrote:
Hi, > > > I would like to setup OpenLDAP Mater-Master replication, before that > i > would like to know something more about it, because i > never implemented the same. > > > Suppose i have 2 servers ldap1.example.com and ldap2.example.com > > > I will configure M-M replication with LDAPS, in this scenario how my > architecture should be? Do i need to keep it behind the loadbalancer > or > what are the steps to do it? > How come the client will come to know if any of the server is down, > it > will talk to the other server, because in my ldap.conf file i will > have a > single URI/host entry > pointing to one of the server and also how to create the certificate, > do > i need 2 individiual certificate 1 for ldap1 and 1 for ldap2? >
I would suggest a cert for ldap1 and ldap2, both with having subjectAltNames for a load balanced name too, so clients can work directly to the servers and directly with the LB name.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Chris Jacobs -
Daniel Qian -
pradyumna dash