Publishing LDAPS

Hi all,

We're currently investigating the possibility for mac and linux users to
securely access AD so they can use the address book.
Unfortunately they need to specify a single DC in their application. Since
we do want to share the load to all DC's but also need availability, if for
instance one DC is in maintenance, we want to use a loadbalancing technique.

Normally when you loadbalance a webservice which uses SSL you create a
certificate based on the fqdn of the 'clustername'.
Question is, does this also work for secure ldap or will the DC refuse to
use that certificate?

Thanks,

Marcel

 

DCs need a cert that matches their FQDN. You might be able to do something
like what you are trying to do using a load balancer or something like that.
You would need to be certain that the clients did not need Kerberos auth via
LDAP.

Another option might be to export the data into an ADAM store and load
balance it. With SSL, ADAM is still a little fussy here and will require
you to use a wildcard cert but you could potentially use a load balancer
along with something like SSL termination at the LB.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"

"Marcel" <Maaslander@newsgroup.nospam> wrote in message
news:uNLkQ7I9JHA.2604@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi all,
>
> We're currently investigating the possibility for mac and linux users to
> securely access AD so they can use the address book.
> Unfortunately they need to specify a single DC in their application. Since
> we do want to share the load to all DC's but also need availability, if
> for instance one DC is in maintenance, we want to use a loadbalancing
> technique.
>
> Normally when you loadbalance a webservice which uses SSL you create a
> certificate based on the fqdn of the 'clustername'.
> Question is, does this also work for secure ldap or will the DC refuse to
> use that certificate?
>
> Thanks,
>
> Marcel
> <!--colorc--><!--/colorc-->

 

The problem with loadbalancing is the common name that the clients should
connect to. That name should be on the certificate and placed on the dc
which you said for yourself will not use that one.
We've found a workaround, specify create an addressbook account for every
dc...

Thanks,
Marcel

 

I was thinking you could create a cert for the load balancer using a DNS
associated only with the load balancer VIP and use SSL termination at the
load balancer. This approach is not typically used with AD and you can run
into some issues with it, but it might work for this specific use case.

If you've got a reasonable workaround, definitely use that instead.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"

"Marcel" <Maaslander@newsgroup.nospam> wrote in message
news:Ooii4il9JHA.1248@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> The problem with loadbalancing is the common name that the clients should
> connect to. That name should be on the certificate and placed on the dc
> which you said for yourself will not use that one.
> We've found a workaround, specify create an addressbook account for every
> dc...
>
> Thanks,
> Marcel
> <!--colorc--><!--/colorc-->

 

Joe,

We've thought about this solution using ISA 2006 but dropped the idea when
we noticed that those clients can use multiple server.

Thanks for the input.

Marcel