I'm kind of confused about how to handle encryption certificates with a load balancer in place. I'm using the setupssl.sh script to create our certs and insert them into the LDAP instances - and this uses each LDAP servers hostname.
Our current configuration is that ldap requests go to a GTM, which directs the request to its closest data center load balancers. We have identical certs on each load balancer, and encrypt from the client to the load balancer, then plain text inside the data center from load balancer to ldap servers. We want to make the entire path encrypted so the load balancers would just act as pass throughs. But what I'm not quite clear on is how we would direct the requests - can we continue to use our GTM url or do we somehow need to tell the clients which servers they are connecting to? In my testing I've appended the certs from my test LDAPs to the F5 cert that I have on my test clients and I can authenticate making a direct connection to any of the test LDAPs, but I am putting in a server name. No test load balancers to test this out on so I have no idea what will happen when I actually try to go through the load balancers. Do the certs have to have the server hostnames in them or can I create a cert that has a virtual name and put that on all the LDAP servers? EJ -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
