Aaron Richton wrote:
I don't see this...
You're seeing the correct behavior; libldap was changed along these
lines back in April 2003. If someone is trying this and getting a
different behavior they must be using a very very old library.
[put NotTheCert in /etc/hosts]
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
'(doesnt=exist)'
No such object (32)
$ ed ldap.conf
633
1,$s/never/demand/p
TLS_REQCERT demand
w
634
q
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/";
'(doesnt=exist)'
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer
certificate
Certainly appears to instigate different behavior to me.
However, the whole point of the load balancer is to make everything look
the same. Toward that end, why would you want server1 and server2 to
look different--might as well lose the load balancer at that point. With
the load balancer, either use subjectAltNames, or just get a cert for
"loadbalancer.example.com" and use that. We do the latter; I don't
*want* the users to see that they're connected to server1 or server2 or....
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
