30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:50 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:52 am 
Emmanuel DreyfusJul 25, 2007 9:06 am 
Quanah Gibson-MountJul 25, 2007 9:47 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:46 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:38 pm 
Howard ChuJul 25, 2007 2:44 pm 
Russ AllberyJul 25, 2007 2:45 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:30 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:17 pm 
Ralf HaferkampJul 26, 2007 1:27 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:38 am 
Ralf HaferkampJul 26, 2007 11:46 am 
Howard ChuJul 27, 2007 2:13 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: failover config: servers with same DNS address and TLS, subjectAltName extensionActions...
From:Ralf Haferkamp (rha@suse.de)
Date:Jul 26, 2007 11:46:48 am
List:org.openldap.openldap-software

Am Do 26 Jul 2007 18:39:22 CEST schrieb Donn Cave <do@u.washington.edu>:

On Jul 26, 2007, at 1:28 AM, Ralf Haferkamp wrote:

[... re CRL checks ...]

They should work with 0.9.7d. IIRC that was the version I used when implementing CRL support.

Right.

Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you want to use CRLs you have to specify a CACERTDIR. That directory has to be correctly hashed (using c_rehash).

I don't use CACERTDIR, I put the CRL in the CA certificate.

Ah, ok that should work as well.

That works, but there's a maintenance problem. Our CRLs expire, fairly quickly, and that breaks certificate verification, so once we have a CRL, we have to keep it up to date whether we care about it or not. There doesn't seem to be any way to reload a CRL (OpenSSL bug 1424, Nov 8 2006), so we have to restart slapd for each update. Does the CACERTDIR approach avoid this problem?

No, unfortunately not.

-- Ralf