utilizing load balancer for LDAP

Ryan Tapp Ryan.Tapp at csulb.edu
Wed Nov 21 17:00:08 EST 2018


Not directly addressing your question, but wondering if you include subject alternative names (SANs) for your certs?  I generate individual certs by server name for each LDAP server, but include the same SAN for the NLB service address with each.  So:

w/ SAN ldap.example.com

w/ SAN ldap.example.com

The IdP just points to ldap.example.com.  I don’t know if this addresses any performance issues you may have, but we’ve been using this approach for years now.

Ryan Tapp
California State University Long Beach

From: users <users-bounces at shibboleth.net> On Behalf Of Robert Rust
Sent: Wednesday, November 21, 2018 1:49 PM
To: users at shibboleth.net
Subject: utilizing load balancer for LDAP

I’m trying to better load-balance our LDAP (active directory) servers that Shibboleth connects to, since it currently tends to hang onto one, even though two are configured in the ldap.properties file. I have a load balancer set up, but it doesn’t do SSL off-loading so Shibboleth/ldaptive doesn’t like the fact that the SSL certificate doesn’t match the name. I’m using keyStoreTrust and would like it to trust any cert contained therein, regardless of the server presenting it. Is that feasible? I found some posts on an ldaptive mailing list regarding AllowAnyHostnameVerifier, but it’s not apparent to me whether that would work or how to get it into the config.
I’d rather not have to set up a pair of load balancers capable of SSL-offloading for this and I don’t have reasonable ability to present a single SSL certificate from both LDAP (AD) servers.

Robert J. Rust
Systems Administrator
Division of Technology Services
Univ. of Wisc. - River Falls
*******   BE ALERT   *******
Technology Services will never ask you for your password, personal information, or to verify your account via e-mail.
If you receive a request for your password or personal information, delete immediately and do not reply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181121/89f8ad31/attachment.html>

More information about the users mailing list