Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Publishing LDAPS
Publishing LDAPS [message #156720] Wed, 24 June 2009 01:44 Go to next message
Marcel  is currently offline Marcel  Netherlands
Messages: 22
Registered: June 2009
Junior Member
Hi all,

We're currently investigating the possibility for mac and linux users to
securely access AD so they can use the address book.
Unfortunately they need to specify a single DC in their application. Since
we do want to share the load to all DC's but also need availability, if for
instance one DC is in maintenance, we want to use a loadbalancing technique.

Normally when you loadbalance a webservice which uses SSL you create a
certificate based on the fqdn of the 'clustername'.
Question is, does this also work for secure ldap or will the DC refuse to
use that certificate?

Thanks,

Marcel
Re: Publishing LDAPS [message #156749 is a reply to message #156720] Wed, 24 June 2009 15:39 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
DCs need a cert that matches their FQDN. You might be able to do something
like what you are trying to do using a load balancer or something like that.
You would need to be certain that the clients did not need Kerberos auth via
LDAP.

Another option might be to export the data into an ADAM store and load
balance it. With SSL, ADAM is still a little fussy here and will require
you to use a wildcard cert but you could potentially use a load balancer
along with something like SSL termination at the LB.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Marcel" <Maaslander@newsgroup.nospam> wrote in message
news:uNLkQ7I9JHA.2604@TK2MSFTNGP05.phx.gbl...
> Hi all,
>
> We're currently investigating the possibility for mac and linux users to
> securely access AD so they can use the address book.
> Unfortunately they need to specify a single DC in their application. Since
> we do want to share the load to all DC's but also need availability, if
> for instance one DC is in maintenance, we want to use a loadbalancing
> technique.
>
> Normally when you loadbalance a webservice which uses SSL you create a
> certificate based on the fqdn of the 'clustername'.
> Question is, does this also work for secure ldap or will the DC refuse to
> use that certificate?
>
> Thanks,
>
> Marcel
>
Re: Publishing LDAPS [message #156924 is a reply to message #156749] Fri, 26 June 2009 08:22 Go to previous messageGo to next message
Marcel  is currently offline Marcel  Netherlands
Messages: 22
Registered: June 2009
Junior Member
The problem with loadbalancing is the common name that the clients should
connect to. That name should be on the certificate and placed on the dc
which you said for yourself will not use that one.
We've found a workaround, specify create an addressbook account for every
dc...

Thanks,
Marcel
Re: Publishing LDAPS [message #156938 is a reply to message #156924] Fri, 26 June 2009 13:49 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
I was thinking you could create a cert for the load balancer using a DNS
associated only with the load balancer VIP and use SSL termination at the
load balancer. This approach is not typically used with AD and you can run
into some issues with it, but it might work for this specific use case.

If you've got a reasonable workaround, definitely use that instead.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Marcel" <Maaslander@newsgroup.nospam> wrote in message
news:Ooii4il9JHA.1248@TK2MSFTNGP04.phx.gbl...
> The problem with loadbalancing is the common name that the clients should
> connect to. That name should be on the certificate and placed on the dc
> which you said for yourself will not use that one.
> We've found a workaround, specify create an addressbook account for every
> dc...
>
> Thanks,
> Marcel
>
Re: Publishing LDAPS [message #157102 is a reply to message #156938] Tue, 30 June 2009 09:59 Go to previous message
Marcel  is currently offline Marcel  Netherlands
Messages: 22
Registered: June 2009
Junior Member
Joe,

We've thought about this solution using ISA 2006 but dropped the idea when
we noticed that those clients can use multiple server.

Thanks for the input.

Marcel
Previous Topic:Inconstant netlogon folders
Next Topic:DNS and Nslookup question
Goto Forum:
  


Current Time: Fri Oct 20 10:13:44 EDT 2017

Total time taken to generate the page: 0.04345 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software