Question:
Right now, we have two OpenLDAP servers running in Delta-syncrepl and talking fine. All the clients are connecting to the primary over port 636. The question is on the best (practices) way of getting the secondary server into the certificate without re-hashing all the clients to the failover server's certificate.
1) Should I set up a Wildcard certificate?
2) Should I put both systems in the "subjectAltName" line and create the certifiate, etc?
3) DNS Round-Robin?
Not 100% sure in which direction to go.
Dave Borresen
Solaris/Linux Systems Administrator
Surveillance Systems Group
MIT Lincoln Laboratory
244 Wood Street
Lexington, MA 02420
john.borresen@ll.mit.edu
On Thu, 22 Mar 2012, Borresen, John - 0442 - MITLL wrote:
Right now, we have two OpenLDAP servers running in Delta-syncrepl and talking fine. All the clients are connecting to the primary over port 636. The question is on the best (practices) way of getting the secondary server into the certificate without re-hashing all the clients to the failover server's certificate.
Should I set up a Wildcard certificate?
Should I put both systems in the "subjectAltName" line and create the certifiate, etc?
DNS Round-Robin?
Not 100% sure in which direction to go.
First, I'll explicitly say what you're alluding to -- OpenLDAP itself won't care (and delegates this all to the TLS library, any decent one of which should handle any of these options). So this is really a practices discussion only.
I believe you'll find a lot more qualms about wildcard certs than with subjectAltNames or "sharing" certs across nodes. They'll work, but inherently they don't follow least-privilege philosophy, which has well-discussed pitfalls.
subjectAltName is certainly an extremely obvious/intended treatment. It's also nice that it can work without any additional technology involved.
I'm not a big fan of DNS round robin, in a traditional sense, for modern deployments. If ldap.example.com. holds records for ldap{1,2} and ldap2 dies, you've got 50% visible failure under many DNS implementations. That's...ugly.
I'll take the liberty of re-reading #3 as "sharing" a cert, i.e. install a certificate for ldap.example.com. on servers that are "really" ldap{1,2}. The plus here is that that cert should serve you "as is" until its expiration, even if you rearchitect into ldap{3,4,5} at some later time. You might like the fact that less of your infrastructure is detailed (i.e. the cert only shows ldap.example.com. in all fields). The negative -- and it's big -- is that you'll need some sort of smoke and mirrors in the way to make this work. Nowadays that probably means some flavor of load balancer/proxy and perhaps some trickery on the individual servers (think /etc/hosts) as well.
One should also consider that it's a fascinating (ab?)use of the model, so it might not be as intuitive to an outside observer as subjectAltNames should be.
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, John - 0442 - MITLL Sent: Thursday, March 22, 2012 9:38 AM To: openldap-technical@openldap.org Subject: OPENLDAP & SSL -- FOR FAILOVER
Question:
Right now, we have two OpenLDAP servers running in Delta-syncrepl and talking fine. All the clients are connecting to the primary over port 636. The question is on the best (practices) way of getting the secondary server into the certificate without re-hashing all the clients to the failover server's certificate.
1) Should I set up a Wildcard certificate? 2) Should I put both systems in the "subjectAltName" line and create the certifiate, etc? 3) DNS Round-Robin?
Not 100% sure in which direction to go.
Dave Borresen Solaris/Linux Systems Administrator Surveillance Systems Group MIT Lincoln Laboratory 244 Wood Street Lexington, MA 02420 john.borresen@ll.mit.edumailto:john.borresen@ll.mit.edu [Aaron Bennett]
Hi Dave,
We've got the same setup here, about to be deployed into production and fairly well tested. We're using DNS Round Robin to serve up 'ldap.clarku.edu' with two N-Way multimaster servers behind it. We settle on having a cert issued to ldap.clarku.edu with each of the component nodes as a subjectAltName and it's worked well, allowing each node to communicate with either other via their actual hostnames and not having any issues there.
One suggestion if you are using RedHat 6 / CentOS 6, don't use the vendor-supplied OpenLDAP build. Not only is it old, it's built against the never-to-be-sufficiently-dammed (or at least, not ready for prime time) Mozilla NSS library. I'm using 2.4.30 built against OpenSSL and it hasn't failed in any of our testing.
Best,
Aaron
--- Aaron Bennett Manager, Systems Administration Clark University ITS
Options 2 + load balancer.
Get a single SSL cert with your VIP's name as cert's name, then subjectaltnames with the 2 real server's names and the vip name (some clients won't use cert's name if subjectaltname is used - or so I understand).
I do this for mirror-mode masters behind a VIP and 3 sets of load balancer round robin servers behind each environment's VIP.
e.g.: ldap-vip.hq (VIP), ldapmaster1.hq, ldapmaster2.hq (this vip pref's ldapmaster1 is it's available) ldap-vip.prod (VIP), ldap01.prod, ldap02.prod (load balancer pretty much round-robin's consecutive connections)
My 2 cents.
- chris
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett Sent: Thursday, March 22, 2012 10:55 AM To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org Subject: RE: OPENLDAP & SSL -- FOR FAILOVER
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, John - 0442 - MITLL Sent: Thursday, March 22, 2012 9:38 AM To: openldap-technical@openldap.org Subject: OPENLDAP & SSL -- FOR FAILOVER
Question:
Right now, we have two OpenLDAP servers running in Delta-syncrepl and talking fine. All the clients are connecting to the primary over port 636. The question is on the best (practices) way of getting the secondary server into the certificate without re-hashing all the clients to the failover server's certificate.
1) Should I set up a Wildcard certificate? 2) Should I put both systems in the "subjectAltName" line and create the certifiate, etc? 3) DNS Round-Robin?
Not 100% sure in which direction to go.
Dave Borresen Solaris/Linux Systems Administrator Surveillance Systems Group MIT Lincoln Laboratory 244 Wood Street Lexington, MA 02420 john.borresen@ll.mit.edumailto:john.borresen@ll.mit.edu [Aaron Bennett]
Hi Dave,
We've got the same setup here, about to be deployed into production and fairly well tested. We're using DNS Round Robin to serve up 'ldap.clarku.edu' with two N-Way multimaster servers behind it. We settle on having a cert issued to ldap.clarku.edu with each of the component nodes as a subjectAltName and it's worked well, allowing each node to communicate with either other via their actual hostnames and not having any issues there.
One suggestion if you are using RedHat 6 / CentOS 6, don't use the vendor-supplied OpenLDAP build. Not only is it old, it's built against the never-to-be-sufficiently-dammed (or at least, not ready for prime time) Mozilla NSS library. I'm using 2.4.30 built against OpenSSL and it hasn't failed in any of our testing.
Best,
Aaron
--- Aaron Bennett Manager, Systems Administration Clark University ITS
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Aaron Bennett -
Aaron Richton -
Borresen, John - 0442 - MITLL -
Chris Jacobs