Re: [389-users] SSL/TLS with a hardware load balancer
- Missatge original - > Has anyone engineered a design to run 389-ds servers behind a hardware > load balancer like an f5 LTM? I've found this question presented > before, but never answered. > > a) the openldap-clients ldap module will query the first host/uri in > the list until the port goes down > b) the server can run out of file descriptors or memory and stop > answering queries without closing the port > c) pointing clients at a virtualized name on a hardware LB will > present a name conflict. The SSL cert on the directory server must > match the v-name on the LB to answer queries, but it must match the > local hostname for replication agreements. > cd /etc/dirsrv/ certutil -R -s "CN=hostname,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 hostname.example.com,ldap.example.com,repl.another.one this is the only step that can't be done through gui, the rest is in the official docs. abosch -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] SSL/TLS with a hardware load balancer
Has anyone engineered a design to run 389-ds servers behind a hardware load balancer like an f5 LTM? I've found this question presented before, but never answered. a) the openldap-clients ldap module will query the first host/uri in the list until the port goes down b) the server can run out of file descriptors or memory and stop answering queries without closing the port c) pointing clients at a virtualized name on a hardware LB will present a name conflict. The SSL cert on the directory server must match the v-name on the LB to answer queries, but it must match the local hostname for replication agreements. I have not found an example where someone has started a second, replication-only listener on the database or configured an LTM to accept multiple v-names... This may be feasible with a robust SSL accelerator, but we don't have one on hand. John Beamon PGP.sig Description: PGP signature -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
