From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" and
syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
What I did: * setup servers behind VIP * obtain cert with primary name of vip DNS w/ secondary names of the servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Aug 26 12:49:04 2011 Subject: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" and
syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Still not sure how you did it. Are you saying you set the same certificate in slapd and played with DNS to make it look like only one server(URL) to everyone?
Thanks, Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
- setup servers behind VIP
- obtain cert with primary name of vip DNS w/ secondary names of the
servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org *To*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Fri Aug 26 12:49:04 2011 *Subject*: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
and syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
To avoid all this name problems and to keep things simple I use a wildcard certificate.
This cert is also used on the real servers and on the load balancer.
The clients talk only the a load balancer. Where I have 2 ip addresses. One for ldapwrite.domain.com and one for ldapread.domain.com The load balancer terminates the ssl connection for port 636 and creates a new session to the backend server.
The reason that I have also the wildcard cert also on the backend servers is for secure connections over 389. The load balancer doesn't speak the ldap protocol, so if a client is doing a starttls he would get the cert from the real server.
If 389 is not needed, then I think 1 or 2 certs on a load balancer would be enough. The replication works also with self-signed certs if configured correctly.
-- Marco
On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote:
Still not sure how you did it. Are you saying you set the same certificate in slapd and played with DNS to make it look like only one server(URL) to everyone?
Thanks, Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
- setup servers behind VIP
- obtain cert with primary name of vip DNS w/ secondary names of the servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Aug 26 12:49:04 2011 Subject: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
and syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Our clients are mainly nss_ldap connecting with starttls so looks like our best bet is either wildcard cert or SubjectAltName. SubjectAltName seems a bit more complicated to do, as in openssl I will have to edit the openssl.cnf file and add all the hostnames and recreate the CSR. We use a local CA here for signing all the certificates used in protected communications.
Thanks, Daniel
On 11-08-27 3:45 PM, Marco Schirrmeister wrote:
To avoid all this name problems and to keep things simple I use a wildcard certificate.
This cert is also used on the real servers and on the load balancer.
The clients talk only the a load balancer. Where I have 2 ip addresses. One for ldapwrite.domain.com http://ldapwrite.domain.com and one for ldapread.domain.com http://ldapread.domain.com The load balancer terminates the ssl connection for port 636 and creates a new session to the backend server.
The reason that I have also the wildcard cert also on the backend servers is for secure connections over 389. The load balancer doesn't speak the ldap protocol, so if a client is doing a starttls he would get the cert from the real server.
If 389 is not needed, then I think 1 or 2 certs on a load balancer would be enough. The replication works also with self-signed certs if configured correctly.
-- Marco
On Aug 26, 2011, at 10:35 PM, Daniel Qian wrote:
Still not sure how you did it. Are you saying you set the same certificate in slapd and played with DNS to make it look like only one server(URL) to everyone?
Thanks, Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
- setup servers behind VIP
- obtain cert with primary name of vip DNS w/ secondary names of the
servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org *To*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Fri Aug 26 12:49:04 2011 *Subject*: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
and syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com http://ldap-sid2.example.com, nor with ldap-sid1.example.com http://ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Apologies for taking a while (and top posting - blackberry).
1)I setup the mirror-mode servers behind a VIP (named ldapmaster1 & 2). VIP hosted on an F5 BigIP - which doesn't load balance StartTLS - which was fine by us - all 389 connections are insecure and all 686 (?) are secure. 2) I created a cert via a CA trusted on all my client machines with: 2.A) Subject: ldap-vip.[domain] 2.B) subjectAltName(s): ldapmaster1.[domain], ldapmaster2.[domain], ldap-vip.[domain]
(Subject included in alt name list as some clients - like firefox - ignore the subject if alt names exist - dumb IMNSHO.)
Then the servers use the same cert to sync w/ each other as the clients use to connect to the VIP (or if needed, directly to the ldapmaster servers).
The subjectAltName part of a cert is the 'tricky' part I think you're missing knowledge of.
A wildcard cert works too, but then it'd be valid for any host *.[domain]. Not the most secure setup.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email chris.jacobs@apollogrp.edu
________________________________ From: Daniel Qian daniel@up247solution.com To: Chris Jacobs Cc: 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Fri Aug 26 13:35:10 2011 Subject: Re: Syncrepl over TLS for mirrormode
Still not sure how you did it. Are you saying you set the same certificate in slapd and played with DNS to make it look like only one server(URL) to everyone?
Thanks, Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote: What I did: * setup servers behind VIP * obtain cert with primary name of vip DNS w/ secondary names of the servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edumailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.orgmailto:openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.orgmailto:openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Sent: Fri Aug 26 12:49:04 2011 Subject: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" and
syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Yes I wasn't aware of subjectAltName and I am still not sure if nss_ldap in the OS honors that but I will test it out. Thanks Chris for answering back.
On 11-08-27 4:23 PM, Chris Jacobs wrote:
Apologies for taking a while (and top posting - blackberry).
1)I setup the mirror-mode servers behind a VIP (named ldapmaster1 & 2). VIP hosted on an F5 BigIP - which doesn't load balance StartTLS - which was fine by us - all 389 connections are insecure and all 686 (?) are secure. 2) I created a cert via a CA trusted on all my client machines with: 2.A) Subject: ldap-vip.[domain] 2.B) subjectAltName(s): ldapmaster1.[domain], ldapmaster2.[domain], ldap-vip.[domain]
(Subject included in alt name list as some clients - like firefox - ignore the subject if alt names exist - dumb IMNSHO.)
Then the servers use the same cert to sync w/ each other as the clients use to connect to the VIP (or if needed, directly to the ldapmaster servers).
The subjectAltName part of a cert is the 'tricky' part I think you're missing knowledge of.
A wildcard cert works too, but then it'd be valid for any host *.[domain]. Not the most secure setup.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development | Aptimus, Inc. 2001 6th Ave | Suite 3200 | Seattle, WA 98121 direct 206.839.8245 | cell 206.601.3256 | fax 206.839.8106 email chris.jacobs@apollogrp.edu
*From*: Daniel Qian daniel@up247solution.com *To*: Chris Jacobs *Cc*: 'openldap-technical@openldap.org' openldap-technical@openldap.org *Sent*: Fri Aug 26 13:35:10 2011 *Subject*: Re: Syncrepl over TLS for mirrormode
Still not sure how you did it. Are you saying you set the same certificate in slapd and played with DNS to make it look like only one server(URL) to everyone?
Thanks, Daniel
On 11-08-26 4:03 PM, Chris Jacobs wrote:
What I did:
- setup servers behind VIP
- obtain cert with primary name of vip DNS w/ secondary names of the
servers.
That way, the servers can sync/tryst each other via the same cert used by clients.
Note: some clients (lookin at you Firefox) won't use the primary name if subjectaltname exists - so include primary name in the alt names JIC.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing and Product Development� |� Aptimus, Inc. 2001 6th Ave� |� Suite 3200� |� Seattle, WA 98121 direct 206.839.8245� |� cell 206.601.3256� |� fax 206.839.8106 email chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org *To*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Fri Aug 26 12:49:04 2011 *Subject*: Syncrepl over TLS for mirrormode
From the openldap website the two nodes have to use different URLs like below:
syncrepl rid=001 provider=ldap://ldap-sid2.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
and syncrepl rid=001 provider=ldap://ldap-sid1.example.com bindmethod=simple binddn="cn=mirrormode,dc=example,dc=com" credentials=mirrormode searchbase="dc=example,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Thanks, Daniel
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Saturday, 27 August 2011 22:37:59 Daniel Qian wrote:
Yes I wasn't aware of subjectAltName and I am still not sure if nss_ldap in the OS honors that but I will test it out. Thanks Chris for answering back.
nss_ldap supports it if the underlying ldap library supports it.
Solaris' ldapclient doesn't ...
So (since we have a few Solaris boxes), we use individual certs where the subject is the same (the canonical name of the load-balanced servers), with subjectAltNames for all the additional names/IPs for the individual server.
Regards, Buchan
--On Friday, August 26, 2011 3:49 PM -0400 Daniel Qian daniel@up247solution.com wrote:
I can set two different certificates so that TLS is fine for sync between the two nodes. However we will have regular Ldap client access these two nodes behind a loadbalancer over TLS too. Obviously the client can't connect with ldap-sid2.example.com, nor with ldap-sid1.example.com. So what is the solution to this scenario? Setup a pool of consumers with same hostname?
Set "subjectAltName" in your certs requests.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org