Re: LDAPS connnectivity
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 14:21:34 -0500
It depends on what APIs are in use, but with Windows-based LDAP APIs, you
can still get an LDAPS connection by specifying just the domain. If the
current security context is an account in the domain you want to access, you
can do a serverless bind. Either will work.
I'm not sure if you'll have the same results with other API stacks. Since
you have specified anything about what the client code is here, it is hard
to say for sure.
It is also possible to call DsGetDCName explicitly instead of allowing the
LDAP API to do this work implicitly. This is all in all a much better
approach than to try to impose another load balancing technique on top of
AD.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Oscar P." <OscarP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F9D4F5F1-9267-491E-9B2A-8953CF53ED7C@xxxxxxxxxxxxxxxx
I'm not sure what you mean by having the applications use the DC locator
service. The connection provider requires a target for ldap or ldaps
connection. Are you suggesting we use "domain.com" instead of
"DCname.domain.dom" and have the locator service select a DC? If that is
the
case, will that work with SSL because "domain.com" doesn't match the
subject
name of "DCname.domain.com" in the certificate on the DC.
Thanks
Oscar
"Joe Kaplan" wrote:
You might be able to get this to work with a wildcard certificate
(*.domain.com) as that is the way this works with ADAM, but you really
shouldn't be load balancing LDAP access to your DCs this way. AD already
has a built-in load balancing mechanism via the DC locator service and
you
should be using that in your applications instead. It avoids this whole
problem. The reason that mechanism exists for ADAM is that ADAM does not
have a similar locator facility like AD does.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Oscar P." <OscarP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2CFA3B3F-92ED-44E7-9957-63B9C36F134D@xxxxxxxxxxxxxxxx
Is there ANY way to configure SSL certificates on domain controllers to
allow
for ldaps connections to more than one host name?
We can initiate an SSL connection to the FQDN hostname of the DC no
problem, but also want to connect using a load-balanced Virtual host
name
to
allow for application failover. This appears to be impossible unless
maybe I
try using a wildcard certificate but have heard that not all
applications
will support wildcard certs.
Would any other method, like maybe using Subject Alternate Name in the
cert,
or binding a second IP to the DC, work?
Thanks
Oscar
.
- References:
- Re: LDAPS connnectivity
- From: Joe Kaplan
- Re: LDAPS connnectivity
- Prev by Date: Re: Long delay sync between sites
- Next by Date: Re: Problem with Trust relationship
- Previous by thread: Re: LDAPS connnectivity
- Next by thread: Re: LDAPS connnectivity
- Index(es):
Relevant Pages
|
