[389-users] SSL/TLS with a hardware load balancer
Angel Bosch Mora
angbosch at conselldemallorca.net
Fri Jun 10 20:27:10 UTC 2011
----- Missatge original -----
> Has anyone engineered a design to run 389-ds servers behind a hardware
> load balancer like an f5 LTM? I've found this question presented
> before, but never answered.
>
> a) the openldap-clients ldap module will query the first host/uri in
> the list until the port goes down
> b) the server can run out of file descriptors or memory and stop
> answering queries without closing the port
> c) pointing clients at a virtualized name on a hardware LB will
> present a name conflict. The SSL cert on the directory server must
> match the v-name on the LB to answer queries, but it must match the
> local hostname for replication agreements.
>
cd /etc/dirsrv/<instance>
certutil -R -s "CN=hostname,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 hostname.example.com,ldap.example.com,repl.another.one
this is the only step that can't be done through gui, the rest is in the official docs.
abosch
More information about the 389-users
mailing list