SSL/TLS with a hardware load balancer
----- Missatge original -----
> Has anyone engineered a design to run 389-ds servers behind a hardware
> load balancer like an f5 LTM? I've found this question presented
> before, but never answered.
> a) the openldap-clients ldap module will query the first host/uri in
> the list until the port goes down
> b) the server can run out of file descriptors or memory and stop
> answering queries without closing the port
> c) pointing clients at a virtualized name on a hardware LB will
> present a name conflict. The SSL cert on the directory server must
> match the v-name on the LB to answer queries, but it must match the
> local hostname for replication agreements.
certutil -R -s "CN=hostname,OU=example,O=example,L=example,ST=exa mple,C=example" -o example.csr -d . -a -8 hostname.example.com,ldap.example.com,repl.another .one
this is the only step that can't be done through gui, the rest is in the official docs.
389 users mailing list