On Fri, 2006-06-09 at 09:58 -0400, Jeremiah Martell wrote: > I actually had the TLS_REQCERT set to allow, not never, would this > make a difference? The error I'm getting is "TLS: hostname > (1.example.com) does not match common name in certificate > (2.example.com)." I thought "allow" would keep this error from > happening. > > - Jeremiah > > On 4/27/06, Jeremiah Martell <[EMAIL PROTECTED]> wrote: > > I can do an ldapsearch over SSL and non-SSL directly to one of the > > "behind the load balancer" LDAP servers. I can do an ldapsearch over > > non-SSL to the load balancer, but SSL to the load balancer fails - it > > looks like SSL connects fine, but nothing happens after that. > > > > Im going to add some logging and see what I get. Hopefully it will > > shed more light on the matter. If you have any suggestions in the > > meantime I'd love to hear them. :-) I'lll try posting my results here > > when I get them. > > > > - Jeremiah > > > > On 4/26/06, Samuel Tran <[EMAIL PROTECTED]> wrote: > > > On Wed, 2006-04-26 at 15:46 -0400, Jeremiah Martell wrote: > > > > On 4/24/06, Samuel Tran <[EMAIL PROTECTED]> wrote: > > > > > On Mon, 2006-04-24 at 10:55 -0400, Jeremiah Martell wrote: > > > > > > I'm having some troubles with using SSL over a LDAP load balancer. > > > > > > Without SSL everything works fine, but when I turn on SSL I get a > > > > > > failure. But if I use SSL and bypass the load balancer and point > > > > > > directly to a LDAP directry everything works fine again. > > > > > > > > > > > > Is there something tricky or special I need to know to get this to > > > > > > work? > > > > > > > > > > > > > > > > Hi Jeremiah, > > > > > > > > > > What is the error message you got when trying to communicate with the > > > > > LDAP load balancer over SSL? What DNS names did you use to contact the > > > > > load balancer and each individual LDAP server? How did you create the > > > > > SSL certificates for the LDAP servers? > > > > > > > > > > I suspect that you haven't created the SSL certificates for the LDAP > > > > > servers with the 'SubjectAltName' field set to the DNS name of the > > > > > load > > > > > balancer. > > > > > > > > > > Hope this helps. > > > > > > > > > > Sam > > > > > > > > > > > > > > > > > > > > > > > > > > > > I know the load balancer is setup properly because another ldap client > > > > can connect to it with SSL and do searches ok. > > > > > > > > The error message I got was just "-1" unable to connect. > > > > > > > > With my openldap client I have the TLS_REQCERT option set to "never" > > > > in ldap.conf, so it shouldnt be a bad name in the certificate, right? > > > > > > > > Using Ethereal it looks like a valid SSL session is initiated, but > > > > then there's no SSL data traffic afterwards. I'm at a loss as to what > > > > could be causing this. Any ideas on what to try or look for? > > > > > > > > > > If TLS_REQCERT is properly set to 'never' in your ldap.conf, then the CN > > > or the 'SubjectAltName' in the server certificate don't matter. > > > > > > What do you have in the LDAP log on the server that the connection is > > > redirected to? Can you do an ldapsearch over SSL directly to one of the > > > LDAP servers using its IP address? > > > > > > Sam > > > > > > > >
Jeremiah, I did the test with TLS_REQCERT set to 'allow' and got the same result as you. I am not sure what they mean by 'bad certificate' in the manual page of 'ldap.conf'. If you set TLS_REQCERT to 'never', does it fix the problem you were having with your LDAP load balancer? Sam
