Forum Discussion
Doug_104173
Nimbostratus
Sep 07, 2010Load Balancing SSL LDAP requests
Has anyone load balanced client requests over ssl through a BigIP to a pool of redhat directory servers? I would like to make a master and slave pair highly available behind my BigIP loadbalancers but the ssl part is killing me.
The way I see it, you would have to generate 2 certificates on the load balancer, one to give to the client making the request, the other you would install into the Directory Server which would serve as a node in a pool on the big IP. The BigIP would then decrypt the ssl request from the client and then re-encrypt the traffic to which ever Directory sever it was sending it to. I know you can just do an ssl pass through on the BigIP and add a SAN to your existing certificate from the directory server but I thought having the BigIP do all the decrypt and manage the certificates would be a more manageable solution.
I've set all this up by they way, but of course my test machine is no longer binding to the ldap sever. I've scoured the internet and not found a good how to describing how to accomplish what I seek.
7 Replies
- Jason_Keating
Altostratus
The way I see it, you would have to generate 2 certificates on the load balancer, one to give to the client making the request, the other you would install into the Directory Server which would serve as a node in a pool on the big IP. - Hamish
Cirrocumulus
You don't necessarily need a cert on the backend, unless you're going to re-encrypt the traffic between the F5 and the server. (You could just run plain text, but would need to translate any redirects from ldap:// to ldaps:// - Doug_104173
Nimbostratus
The cert for the node should result from a private key and csr on the node subsequently signed by a CA the LTM trusts. Of course its possible to skin this cat many different ways by exporting private keys etc but I'd keep it simple and stick to best practice. - bluepet_10591
Altostratus
Doug, - Doug_104173
Nimbostratus
Yeah, that's pretty much what I'm trying to accomplish as well. Can you paste in the ldap client connection command you are using? I'll try it on my side and see if I'm getting the same error in wireshark. Also, is your ldap server a redhat or 389-Directory Server? I'm actually using the 389-Directory Server. - bluepet_10591
Altostratus
I am actually using a tool called ldp, can download from microsoft. Gui based so only need to type the FQDN and the port and specify to use SSL.I am also looking into this solution so let me know how if you successful to implement.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects