SSL/TLS with a hardware load balancer
Has anyone engineered a design to run 389-ds servers behind a hardware load balancer like an f5 LTM? I've found this question presented before, but never answered.
a) the openldap-clients ldap module will query the first host/uri in the list until the port goes down
b) the server can run out of file descriptors or memory and stop answering queries without closing the port
c) pointing clients at a virtualized name on a hardware LB will present a name conflict. The SSL cert on the directory server must match the v-name on the LB to answer queries, but it must match the local hostname for replication agreements.
I have not found an example where someone has started a second, replication-only listener on the database or configured an LTM to accept multiple v-names... This may be feasible with a robust SSL accelerator, but we don't have one on hand.
389 users mailing list
|All times are GMT. The time now is 04:29 PM.|
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.