RE: [load balancing] Load Balancing LDAP -- SSL Module, O/S Environment

From: <David.MenardIZZATthomson.com>
Date: Sat Nov 05 2005 - 17:38:01 EST

John,

Sure let me get back to you early next week.
 

Dave Ménard
Systems Engineer
 
********************************************************
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
**************************************************

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of Bracey, John
Sent: 04 November, 2005 14:38
To: lb-l@vegan.net
Subject: RE: [load balancing] Load Balancing LDAP -- SSL Module, O/S Environment

These are sun servers on the backend, and they've been running LDAP for a long time already, secure and standard. We're looking to create a virtual front end for the existing boxes and migrate folks away from directly binding to the servers themselves.

Would love to see your sanitized config if you're willing to share.

     -John Bracey

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of David.Menard@thomson.com
Sent: Friday, November 04, 2005 5:45 AM
To: lb-l@vegan.net
Subject: RE: [load balancing] Load Balancing LDAP -- SSL Module, O/S Environment

John,

So you have the SSL module? Regarding the secure LDAP port, what environment are you talking about? Windows 2003? Have you insured it works with the secure port without the load balancers.

We pretty much have the same setup with the SSL module but do not use it for any other ports than 80/443.

Dave Ménard
 
********************************************************
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

**************************************************

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of Bracey, John
Sent: 03 November, 2005 13:45
To: lb-l@vegan.net
Subject: [load balancing] Load Balancing LDAP

Hello Folks.

Are any of you front-ending LDAP services with a Cisco CSS1150x? I'm pretty new to the load balancing world, and I got the non-secure (port
389) part to work fine, but need a little help with the secure LDAP side.

I'm trying to get the content switch to do the SSL and pass the request to the backend server on port 389. if this is a bad approach let me know that too :).

Below is the LDAP pertinent parts of my config if it helps. Any help welcome. And I won't be surprised if I have it all wrong either :). I modeled this off of some services already setup by a previous colleague.

I have two 11501's and am doing redundant-vips for the services.

Thanks in advance.

__________________________________________
John Bracey, Network Operations Supervisor Computing & Communication Services California State University, Chico (530)898-5400

!*************************** GLOBAL ***************************

  ssl associate rsakey cssrsakey cssrsakeyfile
  ssl associate cert ldap-cert ldapcert

!************************** CIRCUIT **************************

circuit VLAN100

  ip address xxx.xxx.xxx.193 255.255.255.0
    ip virtual-router 4 priority 102 preempt
    ip virtual-router 3 priority 103 preempt
    ip redundant-vip 4 xxx.xxx.xxx.196 shared
    ip redundant-vip 3 xxx.xxx.xxx.194 shared
    ip critical-service 1 uportal-ssl
    ip critical-service 2 uportal-ssl

!*********************** SSL PROXY LIST ***********************

  ssl-server 94
  ssl-server 94 session-cache 1800
  ssl-server 94 handshake timeout 1800
  ssl-server 94 tcp virtual inactivity-timeout 300
  ssl-server 94 tcp server inactivity-timeout 300
  ssl-server 94 vip address xxx.xxx.xxx.194
  ssl-server 94 rsakey cssrsakey
  ssl-server 94 rsacert ldap-cert
  ssl-server 94 port 636
  ssl-server 94 cipher rsa-with-rc4-128-md5 xxx.xxx.xxx.194 389 weight 7
  ssl-server 95
  ssl-server 95 session-cache 1800
  ssl-server 95 handshake timeout 1800
  ssl-server 95 tcp virtual inactivity-timeout 300
  ssl-server 95 tcp server inactivity-timeout 300
  ssl-server 95 vip address xxx.xxx.xxx.196
  ssl-server 95 rsakey cssrsakey
  ssl-server 95 rsacert ldap-cert
  ssl-server 95 port 636
  ssl-server 95 cipher rsa-with-rc4-128-md5 xxx.xxx.xxx.196 389 weight 7
  active

!************************** SERVICE **************************

service ldap-1
  ip address xxx.xxx.xxx.11
  keepalive port 389
  port 389
  protocol tcp
  keepalive type script ap-kal-ldap "xxx.xxx.xxx.11"
  active

service ldap-2
  ip address xxx.xxx.xxx.165
  keepalive port 389
  port 389
  protocol tcp
  keepalive type script ap-kal-ldap "xxx.xxx.xxx.165"
  active

service ldaps-1
  ip address xxx.xxx.xxx.11
  keepalive port 636
  port 636
  protocol tcp
  keepalive type script ap-kal-ldap "xxx.xxx.xxx.11"
  active

service ldaps-2
  ip address xxx.xxx.xxx.165
  keepalive port 636
  port 636
  protocol tcp
  keepalive type script ap-kal-ldap "xxx.xxx.xxx.165"
  active

service uportal-ssl
  type ssl-accel
  keepalive type none
  slot 2
  add ssl-proxy-list uportal-ssl-proxy
  session-cache-size 15000
  active

!*************************** OWNER ***************************

owner LDAP

  content ldap-2-servers
    add service ldap-1 weight 10
    protocol tcp
    port 389
    add service ldap-2 weight 1
    vip address xxx.xxx.xxx.196
    balance weightedrr
    active

  content ldap-servers
    protocol tcp
    port 389
    balance weightedrr
    add service ldap-2 weight 1
    vip address xxx.xxx.xxx.194
    add service ldap-1 weight 10
    active

  content ldaps-2-servers
    add service ldaps-1 weight 10
    port 636
    balance weightedrr
    add service ldaps-2 weight 1
    vip address xxx.xxx.xxx.196
    protocol tcp
    active

  content ldaps-servers
    port 636
    protocol tcp
    balance weightedrr
    add service ldaps-2 weight 1
    vip address xxx.xxx.xxx.194
    add service ldaps-1 weight 10
    active

!*************************** GROUP *************************** group LDAP
  add destination service ldap-1
  add destination service ldap-2
  vip address xxx.xxx.xxx.196
  active

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Sat Nov 5 19:41:28 2005

This archive was generated by hypermail 2.1.8 : Sat Nov 05 2005 - 19:59:22 EST