utilizing load balancer for LDAP

Robert Rust robert.j.rust at uwrf.edu
Wed Nov 21 16:49:17 EST 2018

I’m trying to better load-balance our LDAP (active directory) servers that Shibboleth connects to, since it currently tends to hang onto one, even though two are configured in the ldap.properties file. I have a load balancer set up, but it doesn’t do SSL off-loading so Shibboleth/ldaptive doesn’t like the fact that the SSL certificate doesn’t match the name. I’m using keyStoreTrust and would like it to trust any cert contained therein, regardless of the server presenting it. Is that feasible? I found some posts on an ldaptive mailing list regarding AllowAnyHostnameVerifier, but it’s not apparent to me whether that would work or how to get it into the config.
I’d rather not have to set up a pair of load balancers capable of SSL-offloading for this and I don’t have reasonable ability to present a single SSL certificate from both LDAP (AD) servers.

Robert J. Rust
Systems Administrator
Division of Technology Services
Univ. of Wisc. - River Falls
*******   BE ALERT   *******
Technology Services will never ask you for your password, personal information, or to verify your account via e-mail.
If you receive a request for your password or personal information, delete immediately and do not reply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181121/9fc11736/attachment.html>

More information about the users mailing list