I actually had the TLS_REQCERT set to allow, not never, would this make a difference? The error I'm getting is "TLS: hostname (1.example.com) does not match common name in certificate (2.example.com)." I thought "allow" would keep this error from happening.
- Jeremiah On 4/27/06, Jeremiah Martell <[EMAIL PROTECTED]> wrote:
I can do an ldapsearch over SSL and non-SSL directly to one of the "behind the load balancer" LDAP servers. I can do an ldapsearch over non-SSL to the load balancer, but SSL to the load balancer fails - it looks like SSL connects fine, but nothing happens after that. Im going to add some logging and see what I get. Hopefully it will shed more light on the matter. If you have any suggestions in the meantime I'd love to hear them. :-) I'lll try posting my results here when I get them. - Jeremiah On 4/26/06, Samuel Tran <[EMAIL PROTECTED]> wrote: > On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote: > > On 4/24/06, Samuel Tran <[EMAIL PROTECTED]> wrote: > > > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote: > > > > I'm having some troubles with using SSL over a LDAP load balancer. > > > > Without SSL everything works fine, but when I turn on SSL I get a > > > > failure. But if I use SSL and bypass the load balancer and point > > > > directly to a LDAP directry everything works fine again. > > > > > > > > Is there something tricky or special I need to know to get this to work? > > > > > > > > > > Hi Jeremiah, > > > > > > What is the error message you got when trying to communicate with the > > > LDAP load balancer over SSL? What DNS names did you use to contact the > > > load balancer and each individual LDAP server? How did you create the > > > SSL certificates for the LDAP servers? > > > > > > I suspect that you haven't created the SSL certificates for the LDAP > > > servers with the 'SubjectAltName' field set to the DNS name of the load > > > balancer. > > > > > > Hope this helps. > > > > > > Sam > > > > > > > > > > > > > > > > I know the load balancer is setup properly because another ldap client > > can connect to it with SSL and do searches ok. > > > > The error message I got was just "-1" unable to connect. > > > > With my openldap client I have the TLS_REQCERT option set to "never" > > in ldap.conf, so it shouldnt be a bad name in the certificate, right? > > > > Using Ethereal it looks like a valid SSL session is initiated, but > > then there's no SSL data traffic afterwards. I'm at a loss as to what > > could be causing this. Any ideas on what to try or look for? > > > > If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN > or the 'SubjectAltName' in the server certificate don't matter. > > What do you have in the LDAP log on the server that the connection is > redirected to? Can you do an ldapsearch over SSL directly to one of the > LDAP servers using its IP address? > > Sam > > -- - Jeremiah [EMAIL PROTECTED]
-- - Jeremiah [EMAIL PROTECTED]
